Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 0 Last Offset: 20215 Size: 20215

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 0 Key: Timestamp: 2026-05-06 04:53:43.026 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:01:58.992Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:01:57.815Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126341,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 1 Key: Timestamp: 2026-05-06 04:53:43.028 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:01:58.992Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:01:57.816Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126342,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 2 Key: Timestamp: 2026-05-06 04:53:43.028 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:01:58.992Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:01:57.816Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3200}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204126343,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 3 Key: Timestamp: 2026-05-06 04:53:43.029 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:01:58.992Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:01:57.817Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3200}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126344,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 4 Key: Timestamp: 2026-05-06 04:53:43.029 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59317\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9d8dfefe4e9dc2d02b2758f99be62b7873cca9a2057b53d6c64bc4792142cd09","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:02.010Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:00.205Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":204126345,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59317","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 5 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59317\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9d8dfefe4e9dc2d02b2758f99be62b7873cca9a2057b53d6c64bc4792142cd09","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:05.034Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:03.215Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":5152,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Failure"],"record_id":204126346,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"59317","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67096","SourcePort":"1514"},"channel":"Security"}}

Offset: 6 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t46991\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"eaa2c85f824ecdfb5a1a266460e65ad1c608a23598f50cef71e2c80ae49744f2","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:06.040Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:04.705Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126347,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"46991"},"channel":"Security"}}

Offset: 7 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t46991\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"eaa2c85f824ecdfb5a1a266460e65ad1c608a23598f50cef71e2c80ae49744f2","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:06.040Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:04.705Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":204126348,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"46991"},"channel":"Security"}}

Offset: 8 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3c0dee3dbdc8565097384cc8cdbc889fe46f51b786ea28610447469ffa05bb90","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:08.055Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:06.045Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Failure"],"record_id":204126349,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"41807","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 9 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59317\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9d8dfefe4e9dc2d02b2758f99be62b7873cca9a2057b53d6c64bc4792142cd09","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:11.072Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:09.225Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Failure"],"record_id":204126350,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"59317","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67096","SourcePort":"1514"},"channel":"Security"}}

Offset: 10 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.99\n\tSource Port:\t\t48104\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6d0771d609bf4908d986781f7c97abdc6cea3573a84a4097c6491434994f0428","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:16.121Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:14.089Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126351,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"48104","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.99","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 11 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.99\n\tSource Port:\t\t48104\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6d0771d609bf4908d986781f7c97abdc6cea3573a84a4097c6491434994f0428","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:16.121Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:14.089Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126352,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"48104","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.99","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 12 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.159Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.797Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126353,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 13 Key: Timestamp: 2026-05-06 04:53:43.034 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.159Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.797Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126354,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 14 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.800Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126355,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 15 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.810Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126356,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 16 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.810Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126357,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 17 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.811Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126358,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 18 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.812Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":204126359,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 19 Key: Timestamp: 2026-05-06 04:53:43.035 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.823Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126360,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 20 Key: Timestamp: 2026-05-06 04:53:43.036 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.823Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126361,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 21 Key: Timestamp: 2026-05-06 04:53:43.036 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.823Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126362,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 22 Key: Timestamp: 2026-05-06 04:53:43.036 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:02:19.160Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:17.824Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126363,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 23 Key: Timestamp: 2026-05-06 04:53:43.037 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2452\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59318\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"0ec4f4a1c6f8608c4d34fd3a2554be88ee6261847a754f983b1abaea044604c9","action":"Filtering Platform Connection","created":"2026-05-05T08:02:26.203Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:25.041Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5158,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126364,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2452","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"59318"},"channel":"Security"}}

Offset: 24 Key: Timestamp: 2026-05-06 04:53:43.039 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2452\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59318\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t54781\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67778\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"17af1996736064056f057831e0afd1ccb22cea53ac82cabad9d315cfd63925ed","action":"Filtering Platform Connection","created":"2026-05-05T08:02:26.203Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:25.041Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":1,"opcode":"Info","record_id":204126365,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59318","DestPort":"54781","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"2452","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","FilterRTID":"67778","Direction":"%%14593"},"channel":"Security"}}

Offset: 25 Key: Timestamp: 2026-05-06 04:53:43.039 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2452\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t55959\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t56918\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66960\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e336fc7f00be6024b287326a7be5d5c36699cd77764d3b33f32604c30c833083","action":"Filtering Platform Connection","created":"2026-05-05T08:02:26.203Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:25.089Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","record_id":204126366,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"56918","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.206","ProcessID":"2452","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"44","RemoteUserID":"S-1-0-0","FilterRTID":"66960","SourcePort":"55959"},"channel":"Security"}}

Offset: 26 Key: Timestamp: 2026-05-06 04:53:43.040 Headers: empty

{"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1001\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0x58D3F1\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{976A05DC-CCF4-F07B-1E4A-16013D755F65}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t172.30.4.206\n\tSource Port:\t\t55959\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"4f2fa159dbf18578f80fd3694567662f0f1286f3a12edb055ad23346461c2959","action":"Logon","created":"2026-05-05T08:02:26.203Z","code":4624,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:25.092Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":684,"thread":{"id":1040}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4624,"channel":"Security","api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":2,"record_id":204126367,"task":"Logon","event_data":{"SubjectUserName":"-","TargetUserName":"W2016AD-N25$","ProcessId":"0x0","AuthenticationPackageName":"Kerberos","WorkstationName":"-","TransmittedServices":"-","SubjectUserSid":"S-1-0-0","TargetLinkedLogonId":"0x0","SubjectLogonId":"0x0","ElevatedToken":"%%1842","LogonType":"3","KeyLength":"0","TargetDomainName":"TDARPLATFORM.CSOC","LogonProcessName":"Kerberos","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1001","SubjectDomainName":"-","TargetOutboundUserName":"-","TargetOutboundDomainName":"-","ProcessName":"-","ImpersonationLevel":"%%1833","LogonGuid":"{976A05DC-CCF4-F07B-1E4A-16013D755F65}","TargetLogonId":"0x58d3f1","LmPackageName":"-","VirtualAccount":"%%1843","IpPort":"55959","IpAddress":"172.30.4.206","RestrictedAdminMode":"-"},"activity_id":"{DE6A64BE-DBBC-0003-C764-6ADEBCDBDC01}"}}

Offset: 27 Key: Timestamp: 2026-05-06 04:53:43.040 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59319\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"0789044ee591482f1fc357fd53717a96b92142df3ad08077e53628aa09010dc6","action":"Filtering Platform Connection","created":"2026-05-05T08:02:30.222Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:28.242Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126369,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"6","ProcessId":"2668","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59319"},"channel":"Security"}}

Offset: 28 Key: Timestamp: 2026-05-06 04:53:43.040 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59319\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c12421dfcf84f564fa471fe3fcf229d92a558c86217f4b1231f485f7a576f5b9","action":"Filtering Platform Connection","created":"2026-05-05T08:02:30.222Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:28.242Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":204126370,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","RemoteUserID":"S-1-0-0","LayerRTID":"48","FilterRTID":"67111","SourcePort":"59319"},"channel":"Security"}}

Offset: 29 Key: Timestamp: 2026-05-06 04:53:43.040 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t58980\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"98d31bce57291fd11f15a127167af4c901cfdc953888aaccf84a9bd289cd4da6","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:02:30.222Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:02:28.739Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126371,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"58980"},"channel":"Security"}}

Offset: 30 Key: Timestamp: 2026-05-06 04:53:43.183 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t1900\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t45455\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"294ff1875b16cab7c6b9a5a417a4e9302941679fc9326105802a28a597b6a301","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:03:37.885Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:36.815Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Failure"],"record_id":204126540,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1900","DestPort":"45455","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 31 Key: Timestamp: 2026-05-06 04:53:43.183 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"f756810a46667fc45ab8f9f5aff838d7f21b4585abc46e74fcaa146271641b16","action":"Filtering Platform Connection","created":"2026-05-05T08:03:38.898Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.101Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","version":1,"record_id":204126541,"task":"Filtering Platform Connection","event_data":{"SourcePort":"0","DestPort":"0","DestAddress":"224.0.0.252","SourceAddress":"172.30.4.205","ProcessID":"4","Protocol":"2","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"System","RemoteUserID":"S-1-0-0","LayerRTID":"48","FilterRTID":"67111","Direction":"%%14593"},"channel":"Security"}}

Offset: 32 Key: Timestamp: 2026-05-06 04:53:43.183 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","action":"Filtering Platform Connection","created":"2026-05-05T08:03:38.898Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.101Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","version":1,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126542,"task":"Filtering Platform Connection","event_data":{"SourcePort":"0","DestPort":"0","DestAddress":"224.0.0.252","SourceAddress":"172.30.4.205","ProcessID":"4","LayerName":"%%14610","Protocol":"2","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","LayerRTID":"44","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 33 Key: Timestamp: 2026-05-06 04:53:43.183 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.821Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":204126543,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 34 Key: Timestamp: 2026-05-06 04:53:43.183 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.822Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126544,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 35 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.825Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":204126545,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 36 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.833Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126546,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 37 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.833Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204126547,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 38 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.834Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126548,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 39 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.835Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204126549,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 40 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.846Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126550,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 41 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.846Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126551,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 42 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.847Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126552,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 43 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:03:38.898Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:37.848Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204126553,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 44 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"545161f1bc97c75d6e1f1c2b2f21cd228b666f634c2648968175d61da9f8df31","action":"Filtering Platform Connection","created":"2026-05-05T08:03:40.916Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:39.104Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1700}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","keywords":["Audit Success"],"record_id":204126554,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"0","DestAddress":"224.0.0.251","SourceAddress":"172.30.4.205","ProcessID":"4","LayerName":"%%14610","Protocol":"2","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","LayerRTID":"44","FilterRTID":"65787","SourcePort":"0"},"channel":"Security"}}

Offset: 45 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b8ecff2fa088e69d7d4f8e9f8aad751d4ef71e9e80e2a4bc5c4976cd8be8809b","action":"Filtering Platform Connection","created":"2026-05-05T08:03:43.941Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:42.600Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","keywords":["Audit Success"],"record_id":204126555,"task":"Filtering Platform Connection","event_data":{"SourcePort":"0","DestPort":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.205","ProcessID":"4","Protocol":"2","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"System","RemoteUserID":"S-1-0-0","LayerRTID":"44","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 46 Key: Timestamp: 2026-05-06 04:53:43.184 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.112\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67097\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e4ccf948fee2b28b71f542fec3c0e29ccfa0a27f71cb89735b6a060f8f80819e","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:03:46.969Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:44.953Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204126556,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1","DestPort":"5","ProcessId":"4","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.112","Protocol":"1","LayerName":"%%14610","Application":"System","LayerRTID":"44","FilterRTID":"67097","Direction":"%%14592"},"channel":"Security"}}

Offset: 47 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.112\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67097\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"2650b9dcb8f7490e0a4c12167d313655d0392728c3e53a27bcb4e2444ee23b3e","action":"Filtering Platform Connection","created":"2026-05-05T08:03:46.969Z","code":5157,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:44.953Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5157,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","version":1,"record_id":204126557,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"5","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.112","ProcessID":"4","Protocol":"1","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"44","Application":"System","FilterRTID":"67097","SourcePort":"1"},"channel":"Security"}}

Offset: 48 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.25\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"2c96b014435b2c3561d30a5733e3a9dbe1e5461a4ad1764c77e677b9969d6504","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:03:47.987Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:46.482Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1700}},"event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126558,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"137","DestPort":"137","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.25","Protocol":"17","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 49 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.99\n\tSource Port:\t\t59316\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9ee549c048b4927dc09dd6e83c2d6e2a182c04fc411e780507bc0da534a93504","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:03:47.987Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:46.974Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1700}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204126559,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.99","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"59316"},"channel":"Security"}}

Offset: 50 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.99\n\tSource Port:\t\t59316\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9ee549c048b4927dc09dd6e83c2d6e2a182c04fc411e780507bc0da534a93504","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:03:47.987Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:46.974Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1700}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204126560,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"59316","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.99","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 51 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59156\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"311d9d52f5b49789f6953d3a1859d606b9051fb2797781d61dfac1726c531d10","action":"Filtering Platform Connection","created":"2026-05-05T08:03:50.006Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.879Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1700}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","version":1,"keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204126561,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59156","DestPort":"389","DestAddress":"fe80::6c1c:1afd:b16:ecb9","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"684","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 52 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2452\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59331\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"bbae7ae46bd5cdafd16e73874a2e8aa8b8973ecd75f0990066377af5905caaed","action":"Filtering Platform Connection","created":"2026-05-05T08:03:50.006Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.904Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1700}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204126562,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2452","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"59331"},"channel":"Security"}}

Offset: 53 Key: Timestamp: 2026-05-06 04:53:43.185 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2452\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59331\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e629f59a23176268deedd555cf8de96a743b27745cc2d994638887f853b69de5","action":"Filtering Platform Connection","created":"2026-05-05T08:03:50.006Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.904Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1700}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":204126563,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59331","DestPort":"389","DestAddress":"fe80::6c1c:1afd:b16:ecb9","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"2452","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 54 Key: Timestamp: 2026-05-06 04:53:43.187 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59331\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"69af55145321e1144b6ac9b9d8793d7b8323f208bb7ae729837d7677459b0a9d","action":"Filtering Platform Connection","created":"2026-05-05T08:03:50.006Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.904Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1700}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"version":1,"record_id":204126564,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"389","DestAddress":"fe80::6c1c:1afd:b16:ecb9","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"684","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65786","SourcePort":"59331"},"channel":"Security"}}

Offset: 55 Key: Timestamp: 2026-05-06 04:53:43.187 Headers: empty

{"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x58EB9A\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"517e029450c6d2b523e97aaa8ea96954318e4b91e595a94812c597aeb3886a49","action":"Special Logon","created":"2026-05-05T08:03:50.006Z","code":4672,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.905Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":684,"thread":{"id":4184}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4672,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204126565,"task":"Special Logon","event_data":{"SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","SubjectUserName":"WIN-MDLQ2GQ94V9$","SubjectLogonId":"0x58eb9a","PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"},"channel":"Security"}}

Offset: 56 Key: Timestamp: 2026-05-06 04:53:43.188 Headers: empty

{"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0x58EB9A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{8B4CE66B-49E0-E6E5-477B-660E0C9AF7B0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59331\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"629f83879f58fce46f16e51a4c8df92330d63ec4441646f4aef6276be9930fdc","action":"Logon","created":"2026-05-05T08:03:50.006Z","code":4624,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.905Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":684,"thread":{"id":4184}},"event_id":4624,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":2,"record_id":204126566,"task":"Logon","event_data":{"SubjectUserName":"-","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x0","AuthenticationPackageName":"Kerberos","WorkstationName":"-","TransmittedServices":"-","SubjectUserSid":"S-1-0-0","TargetLinkedLogonId":"0x0","SubjectLogonId":"0x0","ElevatedToken":"%%1842","LogonType":"3","KeyLength":"0","LogonProcessName":"Kerberos","TargetDomainName":"TDARPLATFORM.CSOC","TargetUserSid":"S-1-5-18","SubjectDomainName":"-","TargetOutboundUserName":"-","TargetOutboundDomainName":"-","ProcessName":"-","ImpersonationLevel":"%%1833","LogonGuid":"{8B4CE66B-49E0-E6E5-477B-660E0C9AF7B0}","TargetLogonId":"0x58eb9a","LmPackageName":"-","VirtualAccount":"%%1843","IpPort":"59331","IpAddress":"fe80::6c1c:1afd:b16:ecb9","RestrictedAdminMode":"-"},"channel":"Security"}}

Offset: 57 Key: Timestamp: 2026-05-06 04:53:43.188 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x58EB9A\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"aa2a004dff4c8dd0d1d283c69c1d207b84ba79d75cffda336ae7f4bf573be271","action":"Logoff","created":"2026-05-05T08:03:50.006Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:03:48.909Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":684,"thread":{"id":1040}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4634,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204126568,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetLogonId":"0x58eb9a","TargetUserSid":"S-1-5-18","TargetDomainName":"TDARPLATFORM"},"channel":"Security"}}

Offset: 58 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:51.434Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:49.515Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526244,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 59 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t56069\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d20414f2394a5a23bf3ea44bca12e9a1e131d0e6e51052c0b0b50631eb763452","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.894Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204127640,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"56069"},"channel":"Security"}}

Offset: 60 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t56069\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"891d711e6fab6711fd4a87f9443d1aac2033dd6fc690836373adf9d719329a20","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.894Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","record_id":204127641,"task":"Filtering Platform Connection","event_data":{"SourcePort":"56069","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"684","LayerName":"%%14611","Protocol":"17","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"48","RemoteUserID":"S-1-0-0","FilterRTID":"65789","Direction":"%%14593"},"channel":"Security"}}

Offset: 61 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:51.434Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:49.516Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":253526245,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 62 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2444\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t56069\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c0cfa3f6e00e913edff9999ff5c6092bb4fbe5d153702c0d560fd11c91df9167","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.894Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5156,"api":"wineventlog","opcode":"Info","version":1,"keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127642,"task":"Filtering Platform Connection","event_data":{"SourcePort":"56069","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"2444","Protocol":"17","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"44","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 63 Key: Timestamp: 2026-05-06 04:53:43.999 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:51.434Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:49.516Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526246,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 64 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"66bbda52ed4a2a4ee9a93fc2c928150778a34ab5d6b680a72beea644311f9de4","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.895Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5158,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127643,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"17","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"::","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 65 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:05:51.434Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:49.517Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":253526247,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 66 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"31ad9c3fcae7ab76876eb1002b7a6b3f65f29ef83dccb320187a8a4067f7318f","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.895Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127644,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"17","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 67 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2488\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t55977\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a257b9a3bcec98fe433756fd6c21be573ce7678bdde88578c57d35fa3f789fd6","action":"Filtering Platform Connection","created":"2026-05-05T08:05:59.496Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:58.378Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3088}},"event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526248,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"6","ProcessId":"2488","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"55977"},"channel":"Security"}}

Offset: 68 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2488\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t55977\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a3557319039fb68c33dd2144c4f571c060d7278051a8302e6e7c9c7b9c97e44c","action":"Filtering Platform Connection","created":"2026-05-05T08:05:59.496Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:05:58.378Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3088}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":253526249,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.206","ProcessID":"2488","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","FilterRTID":"67057","SourcePort":"55977"},"channel":"Security"}}

Offset: 69 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t63485\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8c241c1569437ee50c68075816eb552cd9b1b5e80958d4fecb58960d3af38815","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.895Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"version":1,"record_id":204127645,"task":"Filtering Platform Connection","event_data":{"SourcePort":"63485","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"684","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 70 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t54169\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"58c846b40e3cfd13e4eca07cfb7e957fd76036c850b5d308bd14e80d02c37959","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:02.516Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:00.688Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":253526250,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"54169","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67683","Direction":"%%14592"},"channel":"Security"}}

Offset: 71 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"31ad9c3fcae7ab76876eb1002b7a6b3f65f29ef83dccb320187a8a4067f7318f","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.896Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127646,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 72 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t1900\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t54169\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9c573d1ff2905e8a8ddddfb235cb06d1c5543edd2f642068ceca5af0855028b1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:02.516Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:00.688Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526251,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"54169","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67683","SourcePort":"1900"},"channel":"Security"}}

Offset: 73 Key: Timestamp: 2026-05-06 04:53:44.000 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t49810\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9febf33cfbd2f3d8059666c1eba8848910ee0a36096a13b91b3e2754e65e5969","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.896Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127647,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"49810"},"channel":"Security"}}

Offset: 74 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t55977\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"eba914ccafc7c6afa8658eab7ebbf406be378abe4ad64a0cbfab4fbaa9b4b85b","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:02.516Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:01.371Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5152,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"record_id":253526252,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"55977","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security"}}

Offset: 75 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t63485\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"837439a06a5cfc3ad00b096506e35a2095e6312d76ae528b5095d041061ba0f0","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.896Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127648,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"17","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"63485"},"channel":"Security"}}

Offset: 76 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.25\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ba36b27212cba2ae9ca880194ac5ee1f81af1d45972b856c973b83a506a3eef4","action":"Filtering Platform Connection","created":"2026-05-05T08:06:03.523Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:01.722Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","keywords":["Audit Success"],"record_id":253526253,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"137","DestAddress":"172.30.4.25","SourceAddress":"172.30.4.206","ProcessID":"4","LayerName":"%%14611","Protocol":"17","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"System","FilterRTID":"67057","SourcePort":"137"},"channel":"Security"}}

Offset: 77 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t63485\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ff529b61d7f0790c0c4e50f14ba019a7687f381073b8320581dc71d770838a1c","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.896Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","version":1,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127649,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"684","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65789","SourcePort":"63485"},"channel":"Security"}}

Offset: 78 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.112\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"59d4e6fd3efc9fdfbf21ddc742f8e54b5fdd460bf3a7c4c72da1d8e7bd0a7eb2","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:04.537Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:03.240Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526254,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"5","ProcessId":"4","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.112","Protocol":"1","LayerName":"%%14610","Application":"System","LayerRTID":"44","FilterRTID":"67043","SourcePort":"1"},"channel":"Security"}}

Offset: 79 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t64266\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"5d413f53b5b78ab36640e0e7d140bfe230c98ffa93187d121533daf54a168bb9","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127650,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"::","FilterRTID":"0","SourcePort":"64266"},"channel":"Security"}}

Offset: 80 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.112\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"6987b944789e44488a6c2f71ef2527b4b6b877145ed23dd5763b3bb3078a497f","action":"Filtering Platform Connection","created":"2026-05-05T08:06:04.537Z","code":5157,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:03.240Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":5157,"opcode":"Info","version":1,"keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526255,"task":"Filtering Platform Connection","event_data":{"SourcePort":"1","DestPort":"5","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.112","ProcessID":"4","Protocol":"1","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"44","Application":"System","FilterRTID":"67043","Direction":"%%14592"},"channel":"Security"}}

Offset: 81 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t64266\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d959df22d88ccfa69a6d61d273f5b62f006fe5e83ff989b555d2c3d57e62748b","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127651,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"17","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"64266"},"channel":"Security"}}

Offset: 82 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t55977\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"eba914ccafc7c6afa8658eab7ebbf406be378abe4ad64a0cbfab4fbaa9b4b85b","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:06:05.658Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.371Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526256,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"55977","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","Direction":"%%14592"},"channel":"Security"}}

Offset: 83 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t64266\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"f877993c3d0e85ac16122157f27d952a1a6d7a301414b8760c87d2c7d0a43b29","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"api":"wineventlog","record_id":204127652,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"684","LayerName":"%%14611","Protocol":"17","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"50","FilterRTID":"65788","SourcePort":"64266"},"channel":"Security"}}

Offset: 84 Key: Timestamp: 2026-05-06 04:53:44.001 Headers: empty

{"message":"Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tCoreNet-Teredo-In\n\tName:\tCore Networking - Teredo (UDP-In)\n\nError Information:\n\tReason:\tLocal Port resolved to an empty set.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"074d34ed9a7f1ec5f33a91780f3a8736a60fe67b69b12c7312565cfdf0c92850","action":"MPSSVC Rule-Level Policy Change","created":"2026-05-05T08:06:05.658Z","code":4957,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.650Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"event_id":4957,"channel":"Security","api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526257,"task":"MPSSVC Rule-Level Policy Change","event_data":{"RuleId":"CoreNet-Teredo-In","RuleName":"Core Networking - Teredo (UDP-In)","RuleAttr":"Local Port"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 85 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2444\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t64266\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"fd5f239a17d6e58e3a429a81cd067a94f423fda4971d881e94919b01cd3dae40","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4796}},"event_id":5156,"opcode":"Info","version":1,"keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127653,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2444","LayerName":"%%14610","Protocol":"17","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","LayerRTID":"46","FilterRTID":"65786","SourcePort":"64266"},"channel":"Security"}}

Offset: 86 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t64291\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e136ac2cd54d41bc36033e9c46d930ccfd1d7c30f515dc6861db3b8359bb31a1","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204127654,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"64291"},"channel":"Security"}}

Offset: 87 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tCoreNet-IPHTTPS-In\n\tName:\tCore Networking - IPHTTPS (TCP-In)\n\nError Information:\n\tReason:\tLocal Port resolved to an empty set.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"104e2b23701b1b6c8d6914424092673150731a8629cf2ef64928593222a11d95","action":"MPSSVC Rule-Level Policy Change","created":"2026-05-05T08:06:05.658Z","code":4957,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.650Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4957,"channel":"Security","opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526258,"task":"MPSSVC Rule-Level Policy Change","event_data":{"RuleId":"CoreNet-IPHTTPS-In","RuleName":"Core Networking - IPHTTPS (TCP-In)","RuleAttr":"Local Port"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 88 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tMDNS-In-UDP\n\tName:\tmDNS (UDP-In)\n\nError Information:\n\tReason:\tLocal Port resolved to an empty set.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b2f3eb9b7e6137f20f16a5424fac39043e88ce1f0f2a853b42664ab55edf9ada","action":"MPSSVC Rule-Level Policy Change","created":"2026-05-05T08:06:05.658Z","code":4957,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.650Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","channel":"Security","event_id":4957,"provider_name":"Microsoft-Windows-Security-Auditing","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":253526259,"task":"MPSSVC Rule-Level Policy Change","event_data":{"RuleId":"MDNS-In-UDP","RuleName":"mDNS (UDP-In)","RuleAttr":"Local Port"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 89 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t63822\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c5ab44f7a97f151ad55585a60f868da9c63a67a4b746b18997a79568e94f6e72","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.898Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204127655,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"63822"},"channel":"Security"}}

Offset: 90 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{42062DED-59E5-4957-A183-ED52134BD0E1}\n\tName:\t\tFile and Printer Sharing (Spooler Service - RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84533\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364512\t\n\tConditions:\t\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ad1701149022b9b8a5bcbd19410644b2343a3f1a0b6bf686268f070e3f1eb51d","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.658Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.654Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"channel":"Security","process":{"pid":660,"thread":{"id":3956}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5447,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526260,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ProviderName":"Microsoft Corporation","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{42062DED-59E5-4957-A183-ED52134BD0E1}","CalloutName":"-","FilterName":"File and Printer Sharing (Spooler Service - RPC-EPMAP)","Weight":"10376293542535364512","ChangeType":"%%16384","LayerName":"ALE Listen v4 Layer","Conditions":"\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","FilterId":"84533","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"40"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 91 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t56879\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8c897ff0298dc74eb882d4dbc81cf5ca74bb5e4e7b24f37983fac56dd18f4f3f","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.899Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127656,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"684","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"56879"},"channel":"Security"}}

Offset: 92 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{E3559855-E787-44C0-BD35-8955193E5525}\n\tName:\t\tFile and Printer Sharing (Spooler Service - RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84534\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378404878664859648\t\n\tConditions:\t\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"40e1f0522914320d55fcb6ad643a0f8e7ee69f5080fedaa0987bc5f356646b5c","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.659Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.654Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"event_id":5447,"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}","api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526261,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","FilterKey":"{E3559855-E787-44C0-BD35-8955193E5525}","ChangeType":"%%16384","LayerName":"ALE Receive/Accept v4 Layer","Conditions":"\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","ProviderName":"Microsoft Corporation","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","UserName":"NT AUTHORITY\\LOCAL SERVICE","Action":"%%16390","Weight":"10378404878664859648","CalloutName":"-","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","FilterId":"84534","FilterName":"File and Printer Sharing (Spooler Service - RPC-EPMAP)","LayerId":"44"},"channel":"Security"}}

Offset: 93 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t56879\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"efecb78152abbc33aa54d3d3f6abe8a3d9af3b3cfe55c8cb1184b048c9c68ebd","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.899Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"version":1,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127657,"task":"Filtering Platform Connection","event_data":{"SourcePort":"56879","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"684","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"48","FilterRTID":"65789","Direction":"%%14593"},"channel":"Security"}}

Offset: 94 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{8451F96F-CE04-4292-BBFB-13F77669C7FB}\n\tName:\t\tFile and Printer Sharing (Spooler Service - RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84535\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364512\t\n\tConditions:\t\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"fa8d55e39d1878a98ce5b2fa2bd2238907f97a7505869b0dd52eec085653c2ce","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.659Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.654Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"channel":"Security","provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5447,"process":{"pid":660,"thread":{"id":3956}},"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526262,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","UserSid":"S-1-5-19","FilterType":"%%16388","CalloutKey":"{00000000-0000-0000-0000-000000000000}","Action":"%%16390","ChangeType":"%%16384","FilterKey":"{8451F96F-CE04-4292-BBFB-13F77669C7FB}","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"File and Printer Sharing (Spooler Service - RPC-EPMAP)","CalloutName":"-","UserName":"NT AUTHORITY\\LOCAL SERVICE","Conditions":"\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","Weight":"10376293542535364512","LayerName":"ALE Listen v4 Layer","FilterId":"84535","ProviderName":"Microsoft Corporation","LayerId":"40"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 95 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2444\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t56879\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"df8760c2073212b2df5f0e719bd93d38781f5d3d5478e2e8d69fd0fb270220a6","action":"Filtering Platform Connection","created":"2026-05-05T08:11:59.585Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:11:58.899Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":204127658,"task":"Filtering Platform Connection","event_data":{"SourcePort":"56879","DestPort":"53","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"2444","Protocol":"17","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","LayerRTID":"44","RemoteUserID":"S-1-0-0","FilterRTID":"65787","Direction":"%%14592"},"channel":"Security"}}

Offset: 96 Key: Timestamp: 2026-05-06 04:53:44.002 Headers: empty

{"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1236\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{AFB7E889-C6D0-4AE9-823E-6EEC6A2E8A67}\n\tName:\t\tFile and Printer Sharing (Spooler Service - RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t84536\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378404878664859648\t\n\tConditions:\t\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c6be04e8d79bb1737fa7ef63bc1db7ef475c19ed8eed3a626d1e465f17d32cfd","action":"Other Policy Change Events","created":"2026-05-05T08:06:05.659Z","code":5447,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:06:04.655Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3956}},"channel":"Security","event_id":5447,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526263,"task":"Other Policy Change Events","event_data":{"ProcessId":"1236","FilterType":"%%16388","UserSid":"S-1-5-19","FilterKey":"{AFB7E889-C6D0-4AE9-823E-6EEC6A2E8A67}","Action":"%%16390","LayerName":"ALE Receive/Accept v4 Layer","Conditions":"\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderName":"Microsoft Corporation","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterName":"File and Printer Sharing (Spooler Service - RPC-EPMAP)","Weight":"10378404878664859648","ChangeType":"%%16384","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","FilterId":"84536","CalloutName":"-","LayerId":"44"},"activity_id":"{33A57B7F-DBBD-0002-997B-A533BDDBDC01}"}}

Offset: 97 Key: Timestamp: 2026-05-06 04:53:44.916 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t1136\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52819\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e5c47776e2df06bc1030ec848fa82357a929374c38d07a430fce8056bb603653","action":"Filtering Platform Connection","created":"2026-05-05T08:14:18.884Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:16.878Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":5158,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253527345,"task":"Filtering Platform Connection","event_data":{"Protocol":"17","LayerName":"%%14608","ProcessId":"1136","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"52819"},"channel":"Security"}}

Offset: 98 Key: Timestamp: 2026-05-06 04:53:44.918 Headers: empty

{"message":"A network share object was accessed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x59CFAA\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59411\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\SYSVOL\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\n\nAccess Request Information:\n\tAccess Mask:\t\t0x1\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\t","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"41a8042c1a1b833254865e3bc4ba2798d132c9eb34d80ef6d9c4b9548f29ca6c","action":"File Share","created":"2026-05-05T08:17:49.712Z","code":5140,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:17:48.119Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1700}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5140,"opcode":"Info","version":1,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128510,"task":"File Share","event_data":{"ShareName":"\\\\*\\SYSVOL","SubjectUserName":"WIN-MDLQ2GQ94V9$","ShareLocalPath":"\\??\\C:\\Windows\\SYSVOL\\sysvol","SubjectUserSid":"S-1-5-18","SubjectDomainName":"TDARPLATFORM","SubjectLogonId":"0x59cfaa","ObjectType":"File","IpPort":"59411","IpAddress":"fe80::fe:3f96:53e1:fb32","AccessList":"%%4416\n\t\t\t\t","AccessMask":"0x1"},"channel":"Security"}}

Offset: 99 Key: Timestamp: 2026-05-06 04:53:44.918 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t1136\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52819\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"01fe46b17db8e453a73556fb51f63e86fe61c7960ff94f0345ac2d36afdad22c","action":"Filtering Platform Connection","created":"2026-05-05T08:14:18.884Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:16.878Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"opcode":"Info","version":1,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253527346,"task":"Filtering Platform Connection","event_data":{"SourcePort":"52819","DestPort":"53","DestAddress":"::1","SourceAddress":"::1","ProcessID":"1136","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}