Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 0 Last Offset: 17473 Size: 17473

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 0 Key: Timestamp: 2026-05-06 04:53:43.461 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3c0dee3dbdc8565097384cc8cdbc889fe46f51b786ea28610447469ffa05bb90","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:07.138Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:06.053Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1968}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126701,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"41807","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 1 Key: Timestamp: 2026-05-06 04:53:43.461 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:19.224Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:17.834Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126702,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 2 Key: Timestamp: 2026-05-06 04:53:43.461 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:19.224Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:17.837Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126704,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 3 Key: Timestamp: 2026-05-06 04:53:43.463 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:19.224Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:17.848Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126706,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 4 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:19.224Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:17.849Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126708,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 5 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:19.224Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:17.860Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126711,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 6 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59335\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"5ffc860170db5af273a10dcc049356d991c95abb70d85d15d9f86e86fa343982","action":"Filtering Platform Connection","created":"2026-05-05T08:04:24.268Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:22.367Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1968}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"api":"wineventlog","record_id":204126714,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59335","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"48","RemoteUserID":"S-1-0-0","FilterRTID":"67111","Direction":"%%14593"},"channel":"Security"}}

Offset: 7 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1001\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0x58F57B\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{976A05DC-CCF4-F07B-1E4A-16013D755F65}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t172.30.4.206\n\tSource Port:\t\t55966\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a079fcd81be421255979ef25f990c0e98ee3064ec2b45abe74f767b11b3a7221","action":"Logon","created":"2026-05-05T08:04:26.288Z","code":4624,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:25.097Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"channel":"Security","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4624,"process":{"pid":684,"thread":{"id":4444}},"opcode":"Info","keywords":["Audit Success"],"version":2,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126718,"task":"Logon","event_data":{"SubjectUserName":"-","TargetUserName":"W2016AD-N25$","ProcessId":"0x0","AuthenticationPackageName":"Kerberos","WorkstationName":"-","TransmittedServices":"-","SubjectUserSid":"S-1-0-0","TargetLinkedLogonId":"0x0","SubjectLogonId":"0x0","ElevatedToken":"%%1842","LogonType":"3","LogonProcessName":"Kerberos","TargetDomainName":"TDARPLATFORM.CSOC","KeyLength":"0","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1001","SubjectDomainName":"-","TargetOutboundUserName":"-","TargetOutboundDomainName":"-","ProcessName":"-","ImpersonationLevel":"%%1833","LogonGuid":"{976A05DC-CCF4-F07B-1E4A-16013D755F65}","TargetLogonId":"0x58f57b","LmPackageName":"-","VirtualAccount":"%%1843","IpPort":"55966","IpAddress":"172.30.4.206","RestrictedAdminMode":"-"},"activity_id":"{DE6A64BE-DBBC-0003-C764-6ADEBCDBDC01}"}}

Offset: 8 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59335\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"0720fd01c7538a29cef5cf531a741347c69436712197f3b0f00db36433dd6f27","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:30.311Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:28.368Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126723,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59335","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 9 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:39.380Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:37.842Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126728,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 10 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:39.380Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:37.856Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126733,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 11 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:39.381Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:37.872Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"opcode":"Info","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126738,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 12 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2468\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59337\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c907b63538b8368a766d5300275db648c80e5d82679419bca2854c67beb4c7c5","action":"Filtering Platform Connection","created":"2026-05-05T08:04:54.492Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:52.954Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":5156,"opcode":"Info","version":1,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126743,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2468","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","LayerRTID":"50","FilterRTID":"65788","SourcePort":"59337"},"channel":"Security"}}

Offset: 13 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59338\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"654b1c1b81eeb4be1f99422a650c9fac3989af9a1483d7f53067edf6eca43809","action":"Filtering Platform Connection","created":"2026-05-05T08:04:54.492Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:53.407Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126749,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2668","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59338"},"channel":"Security"}}

Offset: 14 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:59.518Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:57.853Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126754,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 15 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:59.518Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:57.873Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126759,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 16 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t53193\n\tDestination Address:\t255.255.255.255\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"573b3fa54e4f2a99a6967a9b02757888675e8c4a5a4d965c6360ff3824a613b1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:59.519Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:58.341Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":5152,"opcode":"Info","api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126764,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"53193","DestPort":"1900","ProcessId":"0","DestAddress":"255.255.255.255","SourceAddress":"172.30.4.196","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 17 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t1900\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t60397\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9b570b2ad07037f7e0a902cb28e25532c1897a4167e3dd9c383d8e3b59b892e0","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:05:16.570Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:15.050Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126769,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"60397","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"1900"},"channel":"Security"}}

Offset: 18 Key: Timestamp: 2026-05-06 04:53:43.464 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:19.595Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:17.874Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126774,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 19 Key: Timestamp: 2026-05-06 04:53:43.468 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:19.595Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:17.890Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126779,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 20 Key: Timestamp: 2026-05-06 04:53:43.468 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59339\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"f9753f3dc92308ca8cbcf0d3175035b922abae9900d3ecd1006d554769ce7ad6","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:05:31.623Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:30.449Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":204126784,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59339","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 21 Key: Timestamp: 2026-05-06 04:53:43.468 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:38.692Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:37.861Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126789,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 22 Key: Timestamp: 2026-05-06 04:53:43.468 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:38.692Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:37.887Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126799,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 23 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:40.701Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:38.852Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204126803,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 24 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:40.701Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:38.859Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126807,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 25 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","action":"Filtering Platform Connection","created":"2026-05-05T08:05:44.710Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:44.105Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","version":1,"keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126811,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"0","DestAddress":"224.0.0.252","SourceAddress":"172.30.4.205","ProcessID":"4","Protocol":"2","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","LayerRTID":"44","FilterRTID":"65787","SourcePort":"0"},"channel":"Security"}}

Offset: 26 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59340\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1515\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"2675b8d2fdc78ce6cdfa20ed5bd073f43dd028317f422da45c1282b84dad7e51","action":"Filtering Platform Connection","created":"2026-05-05T08:05:46.721Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:45.481Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"record_id":204126815,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59340","DestPort":"1515","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","FilterRTID":"67111","Direction":"%%14593"},"channel":"Security"}}

Offset: 27 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1001\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x58F57B\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"5fa040dee9480d278848d6ceb65cc99dc7a470d99975de9699264734b0f89765","action":"Logoff","created":"2026-05-05T08:05:50.754Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:49.159Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":684,"thread":{"id":2124}},"event_id":4634,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126819,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"W2016AD-N25$","TargetLogonId":"0x58f57b","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1001","TargetDomainName":"TDARPLATFORM"},"channel":"Security"}}

Offset: 28 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2468\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59341\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"be6f737f0069f5bebfb6f5dcf162b86a7dee1e68b19c25cf0758de89277d0312","action":"Filtering Platform Connection","created":"2026-05-05T08:05:54.795Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:52.960Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"opcode":"Info","record_id":204126823,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59341","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2468","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","RemoteUserID":"S-1-0-0","LayerRTID":"50","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 29 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x590A82\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"74b5e6f9270673655ce6ba445fc867b0acaa847e0d9b94486e0efb8ee62db267","action":"Logoff","created":"2026-05-05T08:05:54.795Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:52.963Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":684,"thread":{"id":2124}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4634,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126828,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetLogonId":"0x590a82","TargetDomainName":"TDARPLATFORM","TargetUserSid":"S-1-5-18"},"channel":"Security"}}

Offset: 30 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.867Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126832,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 31 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.879Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126836,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 32 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.892Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126837,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 33 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.892Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126838,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 34 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.892Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126839,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 35 Key: Timestamp: 2026-05-06 04:53:43.469 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:58.827Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:57.893Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126840,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 36 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t54169\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e9dff7ad7ed8b5f8ba6f4f94c011f577fa7601820844bb26e12f19b19b91d0c8","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:01.846Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:00.676Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204126841,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"54169"},"channel":"Security"}}

Offset: 37 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t54169\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e9dff7ad7ed8b5f8ba6f4f94c011f577fa7601820844bb26e12f19b19b91d0c8","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:01.846Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:00.676Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126842,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"54169","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 38 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t1136\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t50637\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ba5284c3f574faa3ff5df4744884fb1c36e11cb8e18a928a4648248da3659412","action":"Filtering Platform Connection","created":"2026-05-05T08:00:42.831Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:41.499Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253525675,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"1136","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"50637"},"channel":"Security"}}

Offset: 39 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:06:18.944Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:17.892Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126852,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 40 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:00:50.913Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:49.362Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3088}},"event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253525683,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 41 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:00:50.913Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:49.376Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3088}},"event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253525686,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 42 Key: Timestamp: 2026-05-06 04:53:43.470 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:06:18.945Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:17.904Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126856,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 43 Key: Timestamp: 2026-05-06 04:53:43.472 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59342\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"56005d39b139c56ce9debe12de414de06f98f7fd361ff01fef9dfd04d5bc8bc4","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:20.962Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:19.509Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Failure"],"record_id":204126857,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59342","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 44 Key: Timestamp: 2026-05-06 04:53:43.472 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:00:50.913Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:49.376Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3088}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253525688,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 45 Key: Timestamp: 2026-05-06 04:53:43.472 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:00:50.913Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:49.388Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3088}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253525692,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 46 Key: Timestamp: 2026-05-06 04:53:43.472 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t34483\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"4e91f431e9000fb1089fb50964fc98ef97e67e422ac3021b51299482212130ed","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:00:54.929Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:00:53.371Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2320}},"event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253525694,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"34483","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67683","Direction":"%%14592"},"channel":"Security"}}

Offset: 47 Key: Timestamp: 2026-05-06 04:53:44.089 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"31ad9c3fcae7ab76876eb1002b7a6b3f65f29ef83dccb320187a8a4067f7318f","action":"Filtering Platform Connection","created":"2026-05-05T08:12:07.682Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:06.321Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127717,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 48 Key: Timestamp: 2026-05-06 04:53:44.089 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{91B2B5C4-CD78-452C-8871-7D1D30EAE0AF}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84515\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a4c60f467931133a1765bfc93482695e875f86c3b500faa53f2e55beb957a03c","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.662Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":660,"thread":{"id":3956}},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","event_id":5447,"computer_name":"w2016ad-n25.tdarplatform.csoc","api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253526338,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ChangeType":"%%16385","ProviderName":"Microsoft Corporation","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","Action":"%%16390","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","CalloutName":"-","LayerName":"ALE Listen v6 Layer","UserName":"NT AUTHORITY\\LOCAL SERVICE","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","Weight":"10376293541528731616","FilterKey":"{91B2B5C4-CD78-452C-8871-7D1D30EAE0AF}","FilterId":"84515","FilterName":"Active Directory Domain Controller (RPC-EPMAP)","LayerId":"42"},"channel":"Security"}}

Offset: 49 Key: Timestamp: 2026-05-06 04:53:44.089 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{62A21B88-9132-4EB2-898A-93D16EAADDAA}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84516\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e193d479044b3bb8859af62fec3500155cc8829d6364446d0c8ae71c1ade92ef","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.662Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5447,"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526339,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ChangeType":"%%16385","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","CalloutName":"-","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterName":"Active Directory Domain Controller (RPC-EPMAP)","Weight":"10376540038224674816","ProviderName":"Microsoft Corporation","FilterKey":"{62A21B88-9132-4EB2-898A-93D16EAADDAA}","FilterId":"84516","LayerName":"ALE Receive/Accept v6 Layer","LayerId":"46"},"channel":"Security"}}

Offset: 50 Key: Timestamp: 2026-05-06 04:53:44.089 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t56529\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"7b5d80e2c531ccbfd93668a923dbcb4d9996536a1810c26ad8fa4bfb1dd63ab2","action":"Filtering Platform Connection","created":"2026-05-05T08:12:07.682Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:06.322Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204127718,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"17","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"56529"},"channel":"Security"}}

Offset: 51 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{92CD2CEF-7744-4360-8528-0AF310FCD06B}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84517\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"f7cdd41a1d70f8e85d4f932106c68624c71378cf36cd143a138b5868bb3285f3","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.662Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"channel":"Security","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526340,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft Corporation","Action":"%%16390","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"Microsoft Key Distribution Service","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{92CD2CEF-7744-4360-8528-0AF310FCD06B}","ChangeType":"%%16385","CalloutName":"-","LayerName":"ALE Listen v4 Layer","FilterId":"84517","Weight":"10376293542535364576","LayerId":"40"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 52 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"837439a06a5cfc3ad00b096506e35a2095e6312d76ae528b5095d041061ba0f0","action":"Filtering Platform Connection","created":"2026-05-05T08:12:07.682Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:06.322Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127719,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 53 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t63485\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ff529b61d7f0790c0c4e50f14ba019a7687f381073b8320581dc71d770838a1c","action":"Filtering Platform Connection","created":"2026-05-05T08:12:07.682Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:06.322Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":5156,"api":"wineventlog","version":1,"keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127720,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"684","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"48","RemoteUserID":"S-1-0-0","FilterRTID":"65789","SourcePort":"63485"},"channel":"Security"}}

Offset: 54 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{05AB7890-AFC1-413D-8475-25D8AFA5D917}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84518\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378405428420673536\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b48c459130b4024ea53c3d4be41c719a518974ab4a4afe6dea411812cb92ee9d","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","channel":"Security","event_id":5447,"provider_name":"Microsoft-Windows-Security-Auditing","api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526341,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ChangeType":"%%16385","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","LayerName":"ALE Receive/Accept v4 Layer","Weight":"10378405428420673536","CalloutName":"-","FilterKey":"{05AB7890-AFC1-413D-8475-25D8AFA5D917}","FilterName":"Microsoft Key Distribution Service","FilterId":"84518","ProviderName":"Microsoft Corporation","LayerId":"44"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 55 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59376\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"10a89467a0ed87d39e1293e1fed14d5570da4e6b5d9d9378948c94c228c7d38d","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:08.886Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":2912}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204127721,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2668","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59376"},"channel":"Security"}}

Offset: 56 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59376\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e39db24bcd6eb16f747ed82e5b12a69f2be591d992707eac982059d1967ede99","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:08.886Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2912}},"event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","record_id":204127722,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"48","RemoteUserID":"S-1-0-0","FilterRTID":"67111","SourcePort":"59376"},"channel":"Security"}}

Offset: 57 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{14DFB750-36E3-43DA-85A3-F94C5ADED127}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84519\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"14c454bdf6c39dcef236119390691e8db41641ace02e8e6fb7a1c0e4d77891a7","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","event_id":5447,"process":{"pid":660,"thread":{"id":3956}},"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526342,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","FilterKey":"{14DFB750-36E3-43DA-85A3-F94C5ADED127}","ChangeType":"%%16385","LayerName":"ALE Listen v4 Layer","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"Microsoft Key Distribution Service","CalloutName":"-","Weight":"10376293542535364576","Action":"%%16390","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderName":"Microsoft Corporation","FilterId":"84519","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","LayerId":"40"},"channel":"Security"}}

Offset: 58 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t57611\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9437c47039222225ee9085319b78a3d0f772d5d62d480f5ab126ddefff15d7db","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":2912}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127723,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"::","FilterRTID":"0","SourcePort":"57611"},"channel":"Security"}}

Offset: 59 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{286ED657-EFF1-43A0-BAFC-DEFF53ED7DFB}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84520\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378405428420673536\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6f938d83bacdd8f2b0d8f742e580447bbaa38891589e6ceb4eb72bedecf6f793","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","event_id":5447,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526343,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ChangeType":"%%16385","LayerName":"ALE Receive/Accept v4 Layer","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","ProviderName":"Microsoft Corporation","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","FilterName":"Microsoft Key Distribution Service","FilterKey":"{286ED657-EFF1-43A0-BAFC-DEFF53ED7DFB}","Weight":"10378405428420673536","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Action":"%%16390","FilterId":"84520","CalloutName":"-","LayerId":"44"},"channel":"Security"}}

Offset: 60 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t57611\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"89fb5564a488a1876190e7dabd20a62467683ace5237d9b28b5de41b76544137","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2912}},"event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127724,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"57611"},"channel":"Security"}}

Offset: 61 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{F48D6143-2A8F-4394-A655-00CA45540D81}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84521\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"2aa921ad3fe846d3b45cf5d9e98e9591e0ad22a3c5cd162782eafac082a6753b","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":660,"thread":{"id":3956}},"channel":"Security","event_id":5447,"computer_name":"w2016ad-n25.tdarplatform.csoc","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526344,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ProviderName":"Microsoft Corporation","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","FilterKey":"{F48D6143-2A8F-4394-A655-00CA45540D81}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","ChangeType":"%%16385","FilterName":"Microsoft Key Distribution Service","Weight":"10376293541528731616","LayerName":"ALE Listen v6 Layer","UserName":"NT AUTHORITY\\LOCAL SERVICE","CalloutName":"-","FilterId":"84521","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","LayerId":"42"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 62 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t57611\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e65e3b89e863a8de27e408087738fdc438f2304c5097b9ebdd87c07b34853b18","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":2912}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","version":1,"record_id":204127725,"task":"Filtering Platform Connection","event_data":{"SourcePort":"57611","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"684","LayerName":"%%14611","Protocol":"17","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 63 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{DF4C62C5-568D-427E-8E3C-5E5060A44464}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84522\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"4e68d12bab2687b789995cb2b6888c2081540482a2b28f9f0745bf2044ba81d4","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"provider_name":"Microsoft-Windows-Security-Auditing","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526345,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ChangeType":"%%16385","Action":"%%16390","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","ProviderName":"Microsoft Corporation","FilterKey":"{DF4C62C5-568D-427E-8E3C-5E5060A44464}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","Weight":"10376540038224674816","LayerName":"ALE Receive/Accept v6 Layer","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterName":"Microsoft Key Distribution Service","FilterId":"84522","CalloutName":"-","LayerId":"46"},"channel":"Security"}}

Offset: 64 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2444\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t57611\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"33da58434767b0d82d0c69a97b7296ff1f5f2acf8bf2cdea080b32adaf4d1b93","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":2912}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","version":1,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127726,"task":"Filtering Platform Connection","event_data":{"SourcePort":"57611","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2444","Protocol":"17","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 65 Key: Timestamp: 2026-05-06 04:53:44.090 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"31ad9c3fcae7ab76876eb1002b7a6b3f65f29ef83dccb320187a8a4067f7318f","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":2912}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127727,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 66 Key: Timestamp: 2026-05-06 04:53:44.093 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{DA9C03D9-91CE-4DA9-987E-F5ADCD20C314}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84523\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"372288f903cb9997c805410c19d09048211571aa9423be9da919691caa73e16c","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"channel":"Security","api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526346,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ChangeType":"%%16385","Action":"%%16390","FilterKey":"{DA9C03D9-91CE-4DA9-987E-F5ADCD20C314}","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","CalloutName":"-","FilterName":"Microsoft Key Distribution Service","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Weight":"10376293541528731616","LayerName":"ALE Listen v6 Layer","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderName":"Microsoft Corporation","FilterId":"84523","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","LayerId":"42"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 67 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"837439a06a5cfc3ad00b096506e35a2095e6312d76ae528b5095d041061ba0f0","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.426Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2912}},"event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127728,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 68 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{25314177-F7E7-4C99-B9A3-3A8D3D01A4A7}\n\tName:\t\tMicrosoft Key Distribution Service\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84524\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"4ba5281360b153f58ee1e3318de6e5fc30f3db79a92c0cc883cf422804ab3599","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5447,"channel":"Security","api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526347,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft Corporation","LayerName":"ALE Receive/Accept v6 Layer","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 6c 00 73 00 61 00-73 00 73 00 2e 00 65 00  \\.l.s.a.s.s...e.\n    00000060  78 00 65 00 00 00                                x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"Microsoft Key Distribution Service","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","ChangeType":"%%16385","Weight":"10376540038224674816","Action":"%%16390","FilterKey":"{25314177-F7E7-4C99-B9A3-3A8D3D01A4A7}","FilterId":"84524","CalloutName":"-","LayerId":"46"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 69 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t51525\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6f85dbf1f428754b3b1265461c67d390a00689a1829017e6436ae08d690a0ab2","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.427Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2912}},"event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127729,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"51525"},"channel":"Security"}}

Offset: 70 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t51525\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"bcd0a37e168047a9f22378e5fb142157cdaa1a8c3cc5014350f91932023d19c2","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.427Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":2912}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","keywords":["Audit Success"],"record_id":204127730,"task":"Filtering Platform Connection","event_data":{"SourcePort":"51525","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"684","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"48","FilterRTID":"65789","Direction":"%%14593"},"channel":"Security"}}

Offset: 71 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{A73DE0C7-BED3-45E7-8827-E99D7D58E6BB}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84525\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c01d713df7df412a4aa629c5926fa0549d014acaf14dda614e6eb12544243f43","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.663Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","event_id":5447,"process":{"pid":660,"thread":{"id":3956}},"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526348,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ChangeType":"%%16385","LayerName":"ALE Listen v4 Layer","Action":"%%16390","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","CalloutName":"-","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","Weight":"10376293542535364576","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderName":"Microsoft Corporation","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","FilterId":"84525","FilterKey":"{A73DE0C7-BED3-45E7-8827-E99D7D58E6BB}","LayerId":"40"},"channel":"Security"}}

Offset: 72 Key: Timestamp: 2026-05-06 04:53:44.094 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2444\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t51525\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"fc0de7e27d0c3654c0e08f145ed0852cba66b7962d22d01fdbe4d239da486951","action":"Filtering Platform Connection","created":"2026-05-05T08:12:10.709Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.427Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2912}},"event_id":5156,"opcode":"Info","keywords":["Audit Success"],"version":1,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127731,"task":"Filtering Platform Connection","event_data":{"SourcePort":"51525","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"2444","LayerName":"%%14610","Protocol":"17","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","LayerRTID":"44","RemoteUserID":"S-1-0-0","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 73 Key: Timestamp: 2026-05-06 04:53:44.105 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{77404E32-30C2-4D76-8A1A-121B1D1B73EE}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84526\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378405428420673536\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c3819afd2767cb08e439bf7220b3165c1126d6753b49c69f8275d6491afb40c0","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5447,"channel":"Security","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526349,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","FilterKey":"{77404E32-30C2-4D76-8A1A-121B1D1B73EE}","Action":"%%16390","LayerName":"ALE Receive/Accept v4 Layer","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","ChangeType":"%%16385","CalloutKey":"{00000000-0000-0000-0000-000000000000}","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","ProviderName":"Microsoft Corporation","UserName":"NT AUTHORITY\\LOCAL SERVICE","Weight":"10378405428420673536","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","CalloutName":"-","FilterId":"84526","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","LayerId":"44"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 74 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59376\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"93b52bd523150c4d13b3ae181df06a6fe265c15171511fde399287704dacf47c","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:12:13.730Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:11.886Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":204127732,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59376","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 75 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{CF819BAC-B3ED-417C-BBAE-F1656F93144B}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84527\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"fdc0a60abcd07378049bcb73634c97f35b11aab7dcde6a37ba104e82ea2102e7","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"computer_name":"w2016ad-n25.tdarplatform.csoc","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526350,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","FilterKey":"{CF819BAC-B3ED-417C-BBAE-F1656F93144B}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerName":"ALE Listen v4 Layer","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","Action":"%%16390","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","ProviderName":"Microsoft Corporation","ChangeType":"%%16385","Weight":"10376293542535364576","CalloutName":"-","FilterId":"84527","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"40"},"channel":"Security"}}

Offset: 76 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59376\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"93b52bd523150c4d13b3ae181df06a6fe265c15171511fde399287704dacf47c","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:12:16.740Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:14.886Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127733,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59376","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 77 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{EEC83F75-84CF-4EB3-BDD3-9EF32338757C}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84528\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378405428420673536\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6c19bb08e1295670e5cc049571318c3fa4102313b5e5095328f7b83be7313743","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526351,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ChangeType":"%%16385","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","LayerName":"ALE Receive/Accept v4 Layer","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","UserName":"NT AUTHORITY\\LOCAL SERVICE","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterKey":"{EEC83F75-84CF-4EB3-BDD3-9EF32338757C}","Weight":"10378405428420673536","CalloutName":"-","FilterId":"84528","ProviderName":"Microsoft Corporation","LayerId":"44"},"channel":"Security"}}

Offset: 78 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.759Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:17.994Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127734,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 79 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{9D1DE7E3-E3A2-4D4A-8BD0-7098198862D3}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84529\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"edde364306e08a625f24e4e12763ad5767db09b386f9089b00fa9d5eb36ff0b8","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","channel":"Security","event_id":5447,"provider_name":"Microsoft-Windows-Security-Auditing","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526352,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","FilterKey":"{9D1DE7E3-E3A2-4D4A-8BD0-7098198862D3}","ProviderName":"Microsoft Corporation","Action":"%%16390","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","UserName":"NT AUTHORITY\\LOCAL SERVICE","CalloutName":"-","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerName":"ALE Listen v6 Layer","ChangeType":"%%16385","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","Weight":"10376293541528731616","FilterId":"84529","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerId":"42"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 80 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:17.995Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127735,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 81 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{B72A4D35-F491-4BDE-BF50-D2D3A306F712}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84530\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"883eac6d27cba26ffe91a559df23ad37bb93dce2c38fbd74a94db2abcc09417b","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","event_id":5447,"process":{"pid":660,"thread":{"id":3956}},"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":253526353,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","LayerName":"ALE Receive/Accept v6 Layer","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","ChangeType":"%%16385","CalloutName":"-","UserName":"NT AUTHORITY\\LOCAL SERVICE","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","Weight":"10376540038224674816","FilterKey":"{B72A4D35-F491-4BDE-BF50-D2D3A306F712}","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterId":"84530","ProviderName":"Microsoft Corporation","LayerId":"46"},"channel":"Security"}}

Offset: 82 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:17.998Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127736,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 83 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{B7352CA6-6580-4402-817D-7F0FEB247BD2}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84531\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"15c166f9c7a494107979dfe41129ce37c164b43bdaba09f34bcd6b719cc2e325","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"channel":"Security","computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5447,"process":{"pid":660,"thread":{"id":3956}},"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526354,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","FilterKey":"{B7352CA6-6580-4402-817D-7F0FEB247BD2}","ChangeType":"%%16385","Action":"%%16390","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","CalloutName":"-","Weight":"10376293541528731616","ProviderName":"Microsoft Corporation","LayerName":"ALE Listen v6 Layer","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterId":"84531","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerId":"42"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 84 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:18.009Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127737,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 85 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{66EE8BDF-3D08-4446-AB68-48B563238643}\n\tName:\t\tRPC Endpoint Mapper (TCP, Incoming)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84532\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ea06598c80662aff6ccf8cefd436ab60835d31d5bf3e235ef26688e232fef3cc","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.662Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.664Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"channel":"Security","process":{"pid":660,"thread":{"id":3956}},"provider_name":"Microsoft-Windows-Security-Auditing","event_id":5447,"computer_name":"w2016ad-n25.tdarplatform.csoc","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526355,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","LayerName":"ALE Receive/Accept v6 Layer","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","CalloutName":"-","FilterName":"RPC Endpoint Mapper (TCP, Incoming)","Weight":"10376540038224674816","FilterKey":"{66EE8BDF-3D08-4446-AB68-48B563238643}","ChangeType":"%%16385","ProviderName":"Microsoft Corporation","FilterId":"84532","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","LayerId":"46"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 86 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.25\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a890b098472f25c8efbdc15f9e77821de5e6a2238adf28111d62b1997f4b3948","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:05.664Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.800Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":253526356,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"137","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.25","Protocol":"17","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","SourcePort":"137"},"channel":"Security"}}

Offset: 87 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:18.009Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127738,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 88 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3354b778926a79b0d6f9f99c2082cb96ff54936b0374dac14aa3eed93bf9d056","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:07.684Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:06.073Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526357,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67683","SourcePort":"41807"},"channel":"Security"}}

Offset: 89 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:18.010Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204127739,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 90 Key: Timestamp: 2026-05-06 04:53:44.106 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.25\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a890b098472f25c8efbdc15f9e77821de5e6a2238adf28111d62b1997f4b3948","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:09.692Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:07.872Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":253526358,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"137","DestPort":"137","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.25","Protocol":"17","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","Direction":"%%14592"},"channel":"Security"}}

Offset: 91 Key: Timestamp: 2026-05-06 04:53:44.108 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:19.760Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:18.011Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204127740,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 92 Key: Timestamp: 2026-05-06 04:53:44.651 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:10.738Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.699Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253527009,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 93 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:10.738Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.699Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253527010,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 94 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:10.738Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.700Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253527011,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 95 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:12:10.738Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:09.701Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":4703,"opcode":"Info","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253527012,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 96 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","action":"Filtering Platform Connection","created":"2026-05-05T08:16:05.860Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:16:05.112Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":204128259,"task":"Filtering Platform Connection","event_data":{"SourcePort":"0","DestPort":"0","DestAddress":"224.0.0.252","SourceAddress":"172.30.4.205","ProcessID":"4","Protocol":"2","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"System","RemoteUserID":"S-1-0-0","LayerRTID":"44","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 97 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2332\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t56006\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d120bf35217067a8def061913e112370499ca8c073c46a851158bcc236717a7d","action":"Filtering Platform Connection","created":"2026-05-05T08:12:16.797Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:15.048Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253527013,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2332","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"56006"},"channel":"Security"}}

Offset: 98 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tCoreNet-Teredo-In\n\tName:\tCore Networking - Teredo (UDP-In)\n\nError Information:\n\tReason:\tLocal Port resolved to an empty set.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"074d34ed9a7f1ec5f33a91780f3a8736a60fe67b69b12c7312565cfdf0c92850","action":"MPSSVC Rule-Level Policy Change","created":"2026-05-05T08:16:05.861Z","code":4957,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:16:05.394Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":684,"thread":{"id":1040}},"activity_id":"{DE6A64BE-DBBC-0003-C764-6ADEBCDBDC01}","event_id":4957,"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128260,"task":"MPSSVC Rule-Level Policy Change","event_data":{"RuleId":"CoreNet-Teredo-In","RuleName":"Core Networking - Teredo (UDP-In)","RuleAttr":"Local Port"},"channel":"Security"}}

Offset: 99 Key: Timestamp: 2026-05-06 04:53:44.652 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2332\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t56006\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"cbda79926e8143fd477be94397e4a2eafb8f3795f930e55a18a067e62071c999","action":"Filtering Platform Connection","created":"2026-05-05T08:12:16.797Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:12:15.048Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":253527014,"task":"Filtering Platform Connection","event_data":{"SourcePort":"56006","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2332","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}