Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 1400670 Last Offset: 1474873 Size: 74203

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 1400670 Key: Timestamp: 2025-12-06 11:30:33.005 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:26.974Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"6d4f2cf91f955067d15e27364b4d9d1d57798c78fe921aa1fe480860a84e6cae","outcome":"failure","created":"2025-12-06T11:54:28.916Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849196,"event_id":5152,"process":{"thread":{"id":4108},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.205","DestPort":"52389","SourceAddress":"172.30.2.163","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400671 Key: Timestamp: 2025-12-06 11:30:35.248 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49621\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:29.986Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1a49c988bfb3ae2928658eff94fb549a1a34624191341b8765a45600ede50a5f","outcome":"failure","created":"2025-12-06T11:54:31.159Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828811,"event_id":5152,"process":{"thread":{"id":4708},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.206","DestPort":"49621","Protocol":"6","SourceAddress":"172.30.2.163","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400672 Key: Timestamp: 2025-12-06 11:30:36.014 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:29.984Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"6d4f2cf91f955067d15e27364b4d9d1d57798c78fe921aa1fe480860a84e6cae","outcome":"failure","created":"2025-12-06T11:54:31.929Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849197,"event_id":5152,"process":{"thread":{"id":5060},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.205","Protocol":"6","DestPort":"52389","Application":"-","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400673 Key: Timestamp: 2025-12-06 11:30:41.315 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49621\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:35.986Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1a49c988bfb3ae2928658eff94fb549a1a34624191341b8765a45600ede50a5f","outcome":"failure","created":"2025-12-06T11:54:37.219Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828812,"event_id":5152,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","DestAddress":"172.30.4.206","DestPort":"49621","Protocol":"6","SourceAddress":"172.30.2.163","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400674 Key: Timestamp: 2025-12-06 11:30:42.047 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:35.985Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"6d4f2cf91f955067d15e27364b4d9d1d57798c78fe921aa1fe480860a84e6cae","outcome":"failure","created":"2025-12-06T11:54:37.960Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849198,"event_id":5152,"process":{"thread":{"id":1380},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","DestPort":"52389","Protocol":"6","DestAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400675 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.281Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828819,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400676 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.266Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828814,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400677 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.293Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828821,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400678 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.265Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828813,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400679 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.270Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828815,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400680 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.293Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828820,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400681 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.294Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828822,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400682 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.280Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828817,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400683 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.280Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828818,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400684 Key: Timestamp: 2025-12-06 11:30:45.351 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.279Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828816,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400685 Key: Timestamp: 2025-12-06 11:30:45.352 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:39.294Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:54:41.266Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224828823,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400686 Key: Timestamp: 2025-12-06 11:30:51.114 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.860Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849203,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400687 Key: Timestamp: 2025-12-06 11:30:51.114 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.861Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849204,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400688 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.843Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849199,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400689 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.862Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849205,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400690 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.873Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849206,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400691 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.844Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849200,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400692 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.873Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849207,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400693 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.860Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849202,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400694 Key: Timestamp: 2025-12-06 11:30:51.115 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.875Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849209,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400695 Key: Timestamp: 2025-12-06 11:30:51.116 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.847Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849201,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400696 Key: Timestamp: 2025-12-06 11:30:51.116 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:45.874Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:54:47.024Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849208,"event_id":4703,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400697 Key: Timestamp: 2025-12-06 11:30:53.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2264\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52390\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:47.088Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8fc3a8fa69a95d30a522b8cbcd14b17fd0389bd08a37802913b74048da925ed6","outcome":"success","created":"2025-12-06T11:54:49.046Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849211,"event_id":5156,"process":{"thread":{"id":1380},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::1","DestAddress":"::1","DestPort":"389","RemoteMachineID":"S-1-0-0","ProcessID":"2264","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52390"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400698 Key: Timestamp: 2025-12-06 11:30:53.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52390\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:47.088Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"569dd44dd7dfb72b274f725eb50928c138f51939b4969b18440b476e687ed9d5","outcome":"success","created":"2025-12-06T11:54:49.046Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849212,"event_id":5156,"process":{"thread":{"id":1380},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"::1","DestAddress":"::1","DestPort":"389","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","ProcessID":"692","Protocol":"6","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"52390"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400699 Key: Timestamp: 2025-12-06 11:30:53.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xCEEFE39\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{BE35C157-0D56-EDEF-BA5D-5216564F361C}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t52390\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:47.090Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"ef52a77df4c2a51c264ee5ad94c944a5c0e485b012413da56359d10c1ad13d62","outcome":"success","created":"2025-12-06T11:54:49.046Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849214,"event_id":4624,"process":{"thread":{"id":4888},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"::1","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{BE35C157-0D56-EDEF-BA5D-5216564F361C}","ImpersonationLevel":"%%1833","TargetLogonId":"0xceefe39","SubjectLogonId":"0x0","IpPort":"52390","TargetUserSid":"S-1-5-18","TargetOutboundDomainName":"-","ProcessName":"-","SubjectUserSid":"S-1-0-0","LmPackageName":"-","ProcessId":"0x0","KeyLength":"0","LogonType":"3","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400700 Key: Timestamp: 2025-12-06 11:30:53.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEEFE39\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:54:47.090Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"1702d83252ab1ac1691d8e106700613c61c7398e900ab62fccfbc3736d4509cd","outcome":"success","created":"2025-12-06T11:54:49.046Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849213,"event_id":4672,"process":{"thread":{"id":4888},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xceefe39","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400701 Key: Timestamp: 2025-12-06 11:32:45.353 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:39.310Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:56:41.261Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829071,"event_id":4703,"process":{"thread":{"id":2772},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400702 Key: Timestamp: 2025-12-06 11:32:45.353 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:39.333Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:56:41.261Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829078,"event_id":4703,"process":{"thread":{"id":2772},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400703 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.890Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849508,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400704 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.889Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849507,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400705 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.25\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.698Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8de0170e668c95bb54ca858776865b4ed10acb27eafc7379130b4988b85ea454","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849503,"event_id":5156,"process":{"thread":{"id":5060},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.205","DestAddress":"172.30.4.25","DestPort":"137","RemoteMachineID":"S-1-0-0","Application":"System","ProcessID":"4","Protocol":"17","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"137"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400706 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.872Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849504,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400707 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.872Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849505,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400708 Key: Timestamp: 2025-12-06 11:32:51.228 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.875Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849506,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400709 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.890Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849509,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400710 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.892Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849510,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400711 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.904Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849511,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400712 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.904Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849512,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400713 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.905Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849513,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400714 Key: Timestamp: 2025-12-06 11:32:51.229 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:45.906Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T11:56:47.137Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849514,"event_id":4703,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400715 Key: Timestamp: 2025-12-06 11:32:52.251 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEF2120\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.114Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"ecb990345f582e0286598dd7f9cdb3be071fa61ef2f8189b2ef6ac6fd3b4461c","outcome":"success","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849518,"event_id":4672,"process":{"thread":{"id":5192},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xcef2120","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400716 Key: Timestamp: 2025-12-06 11:32:52.251 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2264\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52404\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.112Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"f1fff572c97f56ae2c6926b7a6d4d08213732ecc47b9ee5dce93dfebdb3d4d7e","outcome":"success","created":"2025-12-06T11:56:48.151Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849516,"event_id":5156,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::1","DestPort":"389","Protocol":"6","DestAddress":"::1","ProcessID":"2264","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52404"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400717 Key: Timestamp: 2025-12-06 11:32:52.251 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52404\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.112Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"45245ebb169ccffbfd255b02505237736b0cae22fd661aa321d72d85fa587146","outcome":"success","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849517,"event_id":5156,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","DestPort":"389","Protocol":"6","DestAddress":"::1","ProcessID":"692","SourceAddress":"::1","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"52404"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400718 Key: Timestamp: 2025-12-06 11:32:52.251 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xCEF2120\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{BE35C157-0D56-EDEF-BA5D-5216564F361C}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t52404\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.114Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"10970bab81fbb615a20d1fee2dd1fcb44ea3b2b72a82a05d55d7b586e38defe5","outcome":"success","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849519,"event_id":4624,"process":{"thread":{"id":5192},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"::1","TargetOutboundUserName":"-","LogonGuid":"{BE35C157-0D56-EDEF-BA5D-5216564F361C}","ImpersonationLevel":"%%1833","TargetLogonId":"0xcef2120","SubjectLogonId":"0x0","IpPort":"52404","TargetUserSid":"S-1-5-18","LmPackageName":"-","TargetOutboundDomainName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","ProcessName":"-","KeyLength":"0","TargetDomainName":"TDARPLATFORM.CSOC","TargetLinkedLogonId":"0x0","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400719 Key: Timestamp: 2025-12-06 11:32:52.252 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEF2120\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.115Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"24f6720f6138450be49739782add51066e65e85c9e732e715919bdfdf928b937","outcome":"success","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849521,"event_id":4634,"process":{"thread":{"id":4260},"pid":692},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xcef2120","LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400720 Key: Timestamp: 2025-12-06 11:32:52.252 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67143\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.238Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1e498213237e62bbeb421d6594b60e38de7201a20629e56309e6469c3a3ccc08","outcome":"failure","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849522,"event_id":5152,"process":{"thread":{"id":5732},"pid":4},"event_data":{"LayerRTID":"44","ProcessId":"4","Application":"System","DestAddress":"172.30.4.205","Protocol":"1","SourceAddress":"172.30.4.111","DestPort":"5","Direction":"%%14592","LayerName":"%%14610","FilterRTID":"67143","SourcePort":"1"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400721 Key: Timestamp: 2025-12-06 11:32:52.252 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2264\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52404\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.112Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"b16ecdcfb54f53c4a6d1ec77777b608b9f70e54f9a65dfd9f6deffa17985d9d4","outcome":"success","created":"2025-12-06T11:56:48.151Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849515,"event_id":5158,"process":{"thread":{"id":5732},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2264","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"52404"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400722 Key: Timestamp: 2025-12-06 11:32:52.252 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67143\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:47.238Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5157,"hash":"06e28b12d812823a73eb1498cdf181383fa04c0ccc8d1d06295a62dbecb6951a","outcome":"failure","created":"2025-12-06T11:56:48.152Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849523,"event_id":5157,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","DestPort":"5","Protocol":"1","SourceAddress":"172.30.4.111","ProcessID":"4","DestAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"67143","SourcePort":"1"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400723 Key: Timestamp: 2025-12-06 11:32:54.268 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67143\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:48.743Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1e498213237e62bbeb421d6594b60e38de7201a20629e56309e6469c3a3ccc08","outcome":"failure","created":"2025-12-06T11:56:50.171Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849524,"event_id":5152,"process":{"thread":{"id":5732},"pid":4},"event_data":{"LayerRTID":"44","ProcessId":"4","Application":"System","DestAddress":"172.30.4.205","DestPort":"5","Protocol":"1","SourceAddress":"172.30.4.111","Direction":"%%14592","LayerName":"%%14610","FilterRTID":"67143","SourcePort":"1"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400724 Key: Timestamp: 2025-12-06 11:32:54.268 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67143\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:48.743Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5157,"hash":"06e28b12d812823a73eb1498cdf181383fa04c0ccc8d1d06295a62dbecb6951a","outcome":"failure","created":"2025-12-06T11:56:50.171Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849525,"event_id":5157,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.111","DestAddress":"172.30.4.205","DestPort":"5","Protocol":"1","RemoteMachineID":"S-1-0-0","ProcessID":"4","Application":"System","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"67143","SourcePort":"1"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400725 Key: Timestamp: 2025-12-06 11:32:54.268 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t52405\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:49.119Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"aa9ce1203ff1e3f66047201dbef541d2822f570b8368973205f00fad34b58e03","outcome":"success","created":"2025-12-06T11:56:50.171Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849526,"event_id":5158,"process":{"thread":{"id":5732},"pid":4},"event_data":{"ProcessId":"2392","LayerRTID":"36","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"52405"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400726 Key: Timestamp: 2025-12-06 11:32:54.268 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t52405\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:49.119Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"274d00815a47fecdddb6748776872dcedb0664f75b914c29c16593081acf3ed2","outcome":"success","created":"2025-12-06T11:56:50.171Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849527,"event_id":5156,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.205","DestAddress":"172.30.2.163","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","DestPort":"1514","ProcessID":"2392","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"52405"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400727 Key: Timestamp: 2025-12-06 11:32:57.288 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52405\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:52.116Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"fce1058cd01a5722c1d195dc6442c4faecb0f0f259dc812a1422e35666609603","outcome":"failure","created":"2025-12-06T11:56:53.204Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849528,"event_id":5152,"process":{"thread":{"id":5296},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.205","DestPort":"52405","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400728 Key: Timestamp: 2025-12-06 11:32:57.405 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t49632\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:51.630Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"93c90ad1df7d944fa4cbf93c4822d91b273103aead2530edda3f0901ec97266e","outcome":"success","created":"2025-12-06T11:56:53.316Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829080,"event_id":5158,"process":{"thread":{"id":2772},"pid":4},"event_data":{"ProcessId":"2420","LayerRTID":"36","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"49632"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400729 Key: Timestamp: 2025-12-06 11:32:57.405 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49632\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:51.631Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"86a8233c1869bc9e06b7706d382d29e30a6ff12c1a2a3af3604b064915ba7edf","outcome":"success","created":"2025-12-06T11:56:53.316Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829081,"event_id":5156,"process":{"thread":{"id":2772},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.206","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","DestPort":"1514","RemoteMachineID":"S-1-0-0","Protocol":"6","ProcessID":"2420","DestAddress":"172.30.2.163","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"49632"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400730 Key: Timestamp: 2025-12-06 11:32:57.405 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49632\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:52.118Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"c5ac2d19188d352aa01a931a66bc2ac97745f1b776ffb3f4f010abfdff054f38","outcome":"failure","created":"2025-12-06T11:56:53.316Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829082,"event_id":5152,"process":{"thread":{"id":2772},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","Protocol":"6","DestPort":"49632","DestAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400731 Key: Timestamp: 2025-12-06 11:33:00.301 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52405\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:55.126Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"fce1058cd01a5722c1d195dc6442c4faecb0f0f259dc812a1422e35666609603","outcome":"failure","created":"2025-12-06T11:56:56.216Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849529,"event_id":5152,"process":{"thread":{"id":5732},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.2.163","Application":"-","DestPort":"52405","Protocol":"6","DestAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400732 Key: Timestamp: 2025-12-06 11:33:00.420 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49632\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:55.128Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"c5ac2d19188d352aa01a931a66bc2ac97745f1b776ffb3f4f010abfdff054f38","outcome":"failure","created":"2025-12-06T11:56:56.329Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829083,"event_id":5152,"process":{"thread":{"id":4640},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","DestPort":"49632","Protocol":"6","DestAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400733 Key: Timestamp: 2025-12-06 11:33:03.323 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xE10E0C\n\nProcess Information:\n\tProcess ID:\t0x1558\n\tProcess Name:\tC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n\tExit Status:\t0x0","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:57.526Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Process Termination","kind":"event","code":4689,"hash":"b4d783d9f43f51f74731cb817e5ded88134d1e1087a12d6872ab690890325dc6","outcome":"success","created":"2025-12-06T11:56:59.234Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849530,"event_id":4689,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0x1558","ProcessName":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","SubjectUserSid":"S-1-5-21-2744872422-3021103393-397187185-500","Status":"0x0","SubjectLogonId":"0xe10e0c","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"Administrator"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Process Termination"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400734 Key: Timestamp: 2025-12-06 11:33:04.462 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:59.335Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:57:00.364Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829096,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400735 Key: Timestamp: 2025-12-06 11:33:04.462 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:59.337Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:57:00.364Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829097,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400736 Key: Timestamp: 2025-12-06 11:33:04.462 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:59.348Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:57:00.364Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829099,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400737 Key: Timestamp: 2025-12-06 11:33:04.462 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:59.335Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:57:00.364Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829095,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400738 Key: Timestamp: 2025-12-06 11:33:04.462 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:56:59.348Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T11:57:00.364Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829098,"event_id":4703,"process":{"thread":{"id":2100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400739 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2264\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52421\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.142Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"015a1a7eb88c42b622fdfc0cd7256e65f15e6882bada9d8db1960be728c1331a","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849913,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"::1","RemoteMachineID":"S-1-0-0","DestPort":"389","Protocol":"6","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","ProcessID":"2264","DestAddress":"::1","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52421"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400740 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52421\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.142Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"168c5d4dc154d9768a9eb625b10641ba91e5ac0cba3c27997897c324ee58fae0","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849914,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestAddress":"::1","DestPort":"389","Protocol":"6","SourceAddress":"::1","ProcessID":"692","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"52421"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400741 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEF56F4\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.143Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"2ef09b2479b042527b3fde7f2227cf4c135efda074873b27f85b046245d5fa2e","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849915,"event_id":4672,"process":{"thread":{"id":4888},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xcef56f4","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400742 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2264\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52421\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.142Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"fbb2820d021a9a48eacd7b44c3712eb129f07bcfc57b00318624484d681519fa","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849912,"event_id":5158,"process":{"thread":{"id":4340},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2264","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"52421"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400743 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xCEF56F4\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{BE35C157-0D56-EDEF-BA5D-5216564F361C}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t52421\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.144Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"bb0987e20d750d39708bf973b740c0b44307a3bc33b05772bd105deed57f619a","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849916,"event_id":4624,"process":{"thread":{"id":4888},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"::1","TargetOutboundUserName":"-","LogonGuid":"{BE35C157-0D56-EDEF-BA5D-5216564F361C}","ImpersonationLevel":"%%1833","TargetLogonId":"0xcef56f4","SubjectLogonId":"0x0","IpPort":"52421","TargetUserSid":"S-1-5-18","LmPackageName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","TargetOutboundDomainName":"-","ProcessName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400744 Key: Timestamp: 2025-12-06 11:35:52.943 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEF56F4\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.145Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"e1f1272e80d1a567fe1fd70e8f3b22c1a58c722e0902e370d02ffd65d92e78ba","outcome":"success","created":"2025-12-06T11:59:48.858Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849918,"event_id":4634,"process":{"thread":{"id":4260},"pid":692},"event_data":{"TargetLogonId":"0xcef56f4","LogonType":"3","TargetDomainName":"TDARPLATFORM","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400745 Key: Timestamp: 2025-12-06 11:35:53.124 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t49651\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.788Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"a77427f6104a3435b92d128ad471d7a7c32e1547ccfdc01f3c69d83de73461a1","outcome":"success","created":"2025-12-06T11:59:49.037Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829458,"event_id":5158,"process":{"thread":{"id":1368},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2420","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"49651"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400746 Key: Timestamp: 2025-12-06 11:35:53.124 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49651\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:47.788Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"945edca8c72b8bbca164faa3225f6ba5858d74a3a5fb6e7561bdbc3fe62e2b74","outcome":"success","created":"2025-12-06T11:59:49.037Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829459,"event_id":5156,"process":{"thread":{"id":1368},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","DestAddress":"172.30.2.163","Protocol":"6","RemoteMachineID":"S-1-0-0","SourceAddress":"172.30.4.206","DestPort":"1514","ProcessID":"2420","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"49651"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400747 Key: Timestamp: 2025-12-06 11:35:53.125 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49651\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:48.251Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"ad258e8d8a27f0582b223425df6e33f87dcd015d2fdf3e4c8a885575cec75d41","outcome":"failure","created":"2025-12-06T11:59:49.037Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829460,"event_id":5152,"process":{"thread":{"id":1368},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","DestPort":"49651","Protocol":"6","DestAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400748 Key: Timestamp: 2025-12-06 11:35:53.946 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52420\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:48.248Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"70d16a71c891b00e4cd8537a53f0af37b546e69d580412ae198f6c97eac0d6ac","outcome":"failure","created":"2025-12-06T11:59:49.863Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849919,"event_id":5152,"process":{"thread":{"id":4340},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","Protocol":"6","DestPort":"52420","DestAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400749 Key: Timestamp: 2025-12-06 11:35:56.968 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52420\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:51.248Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"70d16a71c891b00e4cd8537a53f0af37b546e69d580412ae198f6c97eac0d6ac","outcome":"failure","created":"2025-12-06T11:59:52.882Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849920,"event_id":5152,"process":{"thread":{"id":4160},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","SourceAddress":"172.30.2.163","Application":"-","DestPort":"52420","DestAddress":"172.30.4.205","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400750 Key: Timestamp: 2025-12-06 11:35:57.155 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49651\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:51.251Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"ad258e8d8a27f0582b223425df6e33f87dcd015d2fdf3e4c8a885575cec75d41","outcome":"failure","created":"2025-12-06T11:59:53.075Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829461,"event_id":5152,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","DestPort":"49651","DestAddress":"172.30.4.206","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400751 Key: Timestamp: 2025-12-06 11:36:03.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t52420\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:57.258Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"70d16a71c891b00e4cd8537a53f0af37b546e69d580412ae198f6c97eac0d6ac","outcome":"failure","created":"2025-12-06T11:59:58.926Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849921,"event_id":5152,"process":{"thread":{"id":5296},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","DestAddress":"172.30.4.205","DestPort":"52420","SourceAddress":"172.30.2.163","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400752 Key: Timestamp: 2025-12-06 11:36:03.203 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49651\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:57.262Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"ad258e8d8a27f0582b223425df6e33f87dcd015d2fdf3e4c8a885575cec75d41","outcome":"failure","created":"2025-12-06T11:59:59.117Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829462,"event_id":5152,"process":{"thread":{"id":2520},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.206","DestPort":"49651","Application":"-","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400753 Key: Timestamp: 2025-12-06 11:36:05.236 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.408Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829469,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400754 Key: Timestamp: 2025-12-06 11:36:05.236 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.406Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829468,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400755 Key: Timestamp: 2025-12-06 11:36:05.236 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.406Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829467,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400756 Key: Timestamp: 2025-12-06 11:36:05.236 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.394Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829465,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400757 Key: Timestamp: 2025-12-06 11:36:05.236 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.419Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829472,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400758 Key: Timestamp: 2025-12-06 11:36:05.237 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.390Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829463,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400759 Key: Timestamp: 2025-12-06 11:36:05.237 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.418Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829470,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400760 Key: Timestamp: 2025-12-06 11:36:05.237 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.406Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829466,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400761 Key: Timestamp: 2025-12-06 11:36:05.237 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829464,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400762 Key: Timestamp: 2025-12-06 11:36:05.237 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.419Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829471,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400763 Key: Timestamp: 2025-12-06 11:36:05.238 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T11:59:59.420Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:00:01.144Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224829473,"event_id":4703,"process":{"thread":{"id":4296},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400764 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.983Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849927,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400765 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.966Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849922,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400766 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.999Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849929,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400767 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.999Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849931,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400768 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.967Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849923,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1400769 Key: Timestamp: 2025-12-06 11:36:12.075 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:00:05.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:00:07.989Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173849924,"event_id":4703,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}