Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 1408827 Last Offset: 1480224 Size: 71397

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 1408827 Key: Timestamp: 2025-12-06 11:43:25.041 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:19.565Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:07:20.963Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830281,"event_id":4703,"process":{"thread":{"id":4708},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408828 Key: Timestamp: 2025-12-06 11:43:25.041 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:19.581Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:07:20.963Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830288,"event_id":4703,"process":{"thread":{"id":4708},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408829 Key: Timestamp: 2025-12-06 11:43:29.014 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1001\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xCEFDB34\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{18BB87B5-A913-164B-D345-087F2114EBDC}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t172.30.4.206\n\tSource Port:\t\t49704\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:23.555Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"dbb764933ad5926d43dedd053d87e7b6330af7e034d8f82093ca793f452e0906","outcome":"success","created":"2025-12-06T12:07:24.937Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850740,"event_id":4624,"process":{"thread":{"id":4420},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"W2016AD-N25$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"172.30.4.206","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{18BB87B5-A913-164B-D345-087F2114EBDC}","ImpersonationLevel":"%%1833","TargetLogonId":"0xcefdb34","SubjectLogonId":"0x0","IpPort":"49704","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1001","LmPackageName":"-","TargetOutboundDomainName":"-","SubjectUserSid":"S-1-0-0","ProcessId":"0x0","ProcessName":"-","KeyLength":"0","LogonType":"3","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408830 Key: Timestamp: 2025-12-06 11:43:29.014 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49704\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t62510\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66964\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:23.553Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"06a3828a88fe660b75c29cc7ef51bb138237e365f4cc7011b80314c77dc6e916","outcome":"success","created":"2025-12-06T12:07:24.937Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850739,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.206","DestAddress":"172.30.4.205","Protocol":"6","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","DestPort":"62510","ProcessID":"2480","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66964","SourcePort":"49704"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408831 Key: Timestamp: 2025-12-06 11:43:29.069 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t49704\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:23.558Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"9918c6a50426f24802228b58f2979a74177ce9bece4d766e5bae6b4cec9625ca","outcome":"success","created":"2025-12-06T12:07:24.987Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830289,"event_id":5158,"process":{"thread":{"id":4708},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2460","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"49704"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408832 Key: Timestamp: 2025-12-06 11:43:29.069 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49704\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t62510\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67659\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:23.558Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"78daedeeb638d97fdf7f4ea60e42ccd4e6bc2c67b4be8e44915a3c1d5aef0ec0","outcome":"success","created":"2025-12-06T12:07:24.987Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830290,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","DestAddress":"172.30.4.205","Protocol":"6","DestPort":"62510","RemoteMachineID":"S-1-0-0","ProcessID":"2460","SourceAddress":"172.30.4.206","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67659","SourcePort":"49704"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408833 Key: Timestamp: 2025-12-06 11:43:31.052 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.121Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850748,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408834 Key: Timestamp: 2025-12-06 11:43:31.052 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.254\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.1\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66964\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.385Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d0ccaf881b6040de72d710aa2765bc2d718f29eecc839bc3fcc5f70a7a58be86","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850742,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","DestPort":"0","Protocol":"2","DestAddress":"224.0.0.1","ProcessID":"4","SourceAddress":"172.30.4.254","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66964","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408835 Key: Timestamp: 2025-12-06 11:43:31.052 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.132Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850749,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408836 Key: Timestamp: 2025-12-06 11:43:31.052 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.611Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"b8ecff2fa088e69d7d4f8e9f8aad751d4ef71e9e80e2a4bc5c4976cd8be8809b","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850745,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","DestAddress":"239.255.255.250","DestPort":"0","ProcessID":"4","SourceAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408837 Key: Timestamp: 2025-12-06 11:43:31.052 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.134Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850752,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408838 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.117Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850746,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408839 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.145Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850753,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408840 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.118Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850747,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408841 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.145Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850754,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408842 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.145Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850755,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408843 Key: Timestamp: 2025-12-06 11:43:31.053 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.146Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.964Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850756,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408844 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.611Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"27590539f2716b76084e8ad651dc196c667d8bd697dde241bed6dde274b5467c","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850743,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"System","SourceAddress":"172.30.4.205","DestPort":"0","RemoteMachineID":"S-1-0-0","DestAddress":"224.0.0.252","ProcessID":"4","Protocol":"2","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408845 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.611Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850744,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","DestAddress":"224.0.0.252","DestPort":"0","SourceAddress":"172.30.4.205","Protocol":"2","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408846 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.132Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850751,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408847 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.254\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.1\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"32be4e7bd564687a554f50e5cb0aa419311d6f01b77114a69558b50c8f05a6b3","outcome":"success","created":"2025-12-06T12:07:27.006Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830292,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.254","RemoteMachineID":"S-1-0-0","Application":"System","DestAddress":"224.0.0.1","DestPort":"0","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408848 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:26.132Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:26.963Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850750,"event_id":4703,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408849 Key: Timestamp: 2025-12-06 11:43:31.080 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t49703\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:25.340Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"3e7a624e22d83c9a52eb0f4a487f71ebb02b4e27e01575719685dabab049183c","outcome":"failure","created":"2025-12-06T12:07:27.006Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830291,"event_id":5152,"process":{"thread":{"id":4708},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","Protocol":"6","DestAddress":"172.30.4.206","DestPort":"49703","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408850 Key: Timestamp: 2025-12-06 11:43:34.118 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:28.799Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ad6d351b0a9c5927c7b59faad35f3f79c33fe6d7ede0999c7ffa9541b78369e6","outcome":"success","created":"2025-12-06T12:07:30.033Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830293,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"System","DestAddress":"224.0.0.251","DestPort":"0","Protocol":"2","RemoteMachineID":"S-1-0-0","ProcessID":"4","SourceAddress":"172.30.4.206","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408851 Key: Timestamp: 2025-12-06 11:43:34.118 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:29.797Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"fa3fdde9c098dcbb48204031b7a11321d32152e29e7222facf92e07b9875bed1","outcome":"success","created":"2025-12-06T12:07:30.034Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830295,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","SourceAddress":"172.30.4.206","DestAddress":"239.255.255.250","RemoteMachineID":"S-1-0-0","DestPort":"0","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408852 Key: Timestamp: 2025-12-06 11:43:34.118 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:28.799Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ffd3ac094d35d7eb47fadbc9784a53dc3656eb785ba824f31e27cb962b13d1ff","outcome":"success","created":"2025-12-06T12:07:30.034Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830294,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","Application":"System","DestPort":"0","Protocol":"2","ProcessID":"4","DestAddress":"224.0.0.251","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408853 Key: Timestamp: 2025-12-06 11:43:37.104 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t52463\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:31.723Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"3c582c2161cd58f5dfbb9c7afe0f6ae690009e30b646d7ecd2ac8bad996b81f9","outcome":"success","created":"2025-12-06T12:07:33.018Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850757,"event_id":5158,"process":{"thread":{"id":5144},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2392","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"52463"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408854 Key: Timestamp: 2025-12-06 11:43:37.104 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:32.614Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"545161f1bc97c75d6e1f1c2b2f21cd228b666f634c2648968175d61da9f8df31","outcome":"success","created":"2025-12-06T12:07:33.018Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850759,"event_id":5156,"process":{"thread":{"id":5732},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","DestAddress":"224.0.0.251","DestPort":"0","ProcessID":"4","SourceAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408855 Key: Timestamp: 2025-12-06 11:43:37.104 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t52463\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:31.723Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d46826634cd54355985d7760415eb4b6a32db0b00f9b7a918f9e652a95785215","outcome":"success","created":"2025-12-06T12:07:33.018Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850758,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","RemoteMachineID":"S-1-0-0","DestPort":"1514","Protocol":"6","SourceAddress":"172.30.4.205","ProcessID":"2392","DestAddress":"172.30.2.163","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"52463"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408856 Key: Timestamp: 2025-12-06 11:43:39.160 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t52464\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66908\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:33.972Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"190b98286856c828799eab8c8f9398435ac82e560dfaddf530b5ab22a8bc9d02","outcome":"success","created":"2025-12-06T12:07:35.085Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830296,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::cd46:3442:b9b4:26f4","DestPort":"53011","Protocol":"6","ProcessID":"2460","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66908","SourcePort":"52464"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408857 Key: Timestamp: 2025-12-06 11:43:39.160 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1104\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xDD6FB1D\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{3CA5EA31-F1C6-E065-C37D-2D2D864B5A7C}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t52464\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:33.975Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"b0beb6a40b53ffac38bd3f7f145489efe3c50ea49d470f86e718f8349701ea9a","outcome":"success","created":"2025-12-06T12:07:35.085Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830297,"event_id":4624,"process":{"thread":{"id":4672},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","TargetOutboundUserName":"-","LogonGuid":"{3CA5EA31-F1C6-E065-C37D-2D2D864B5A7C}","ImpersonationLevel":"%%1833","TargetLogonId":"0xdd6fb1d","SubjectLogonId":"0x0","IpPort":"52464","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1104","LmPackageName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","ProcessName":"-","TargetOutboundDomainName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408858 Key: Timestamp: 2025-12-06 11:43:39.160 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52464\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:33.966Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"33df32af613f0d585bf03c5c648881d9258f27258fcc118c32f14f61ebbb3668","outcome":"success","created":"2025-12-06T12:07:35.042Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850760,"event_id":5158,"process":{"thread":{"id":5732},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"52464"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408859 Key: Timestamp: 2025-12-06 11:43:39.160 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49706\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1515\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:34.358Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"b597158ed4c245ddcf39fbf47dbfa32b7ff38fee1c5aabfbfbb72a0899b7033d","outcome":"success","created":"2025-12-06T12:07:35.086Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830300,"event_id":5156,"process":{"thread":{"id":4708},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"172.30.4.206","DestPort":"1515","DestAddress":"172.30.2.163","Protocol":"6","RemoteMachineID":"S-1-0-0","ProcessID":"2420","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"49706"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408860 Key: Timestamp: 2025-12-06 11:43:59.320 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.547Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850847,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"445","DestAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","Application":"System","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408861 Key: Timestamp: 2025-12-06 11:43:59.320 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE3EC\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.548Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"4b650a6724537267c9a101e1d8cc7b4e54febe7a6683889b210b8e6436c23645","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850854,"event_id":4634,"process":{"thread":{"id":1468},"pid":692},"event_data":{"TargetLogonId":"0xcefe3ec","LogonType":"3","TargetDomainName":"TDARPLATFORM","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408862 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t52469\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.462Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"733e4a165639bc0db90a328947f6adc074e07db5e7152911f09ad3d919c09ba9","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850809,"event_id":5158,"process":{"thread":{"id":1380},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"4","LayerName":"%%14608","Application":"System","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"52469"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408863 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.541Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850816,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","DestAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408864 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.544Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850824,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","Protocol":"6","ProcessID":"4","Application":"System","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408865 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850831,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"445","DestAddress":"fe80::8fa:3638:53e1:fb32","Application":"System","ProcessID":"4","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408866 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850838,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","RemoteMachineID":"S-1-0-0","DestAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","DestPort":"445","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408867 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850839,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"445","ProcessID":"4","Application":"System","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408868 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850840,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","RemoteMachineID":"S-1-0-0","DestPort":"445","Protocol":"6","DestAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408869 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850845,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","RemoteMachineID":"S-1-0-0","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","Protocol":"6","SourceAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408870 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE520\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.547Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"5b363439e6138f2605202726f5a77fee11699518b646e95fa9cb6c9e1a9366cd","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850852,"event_id":4634,"process":{"thread":{"id":4420},"pid":692},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xcefe520","LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408871 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t52469\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.462Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8c4af9077541313589eb89207fab8acc1ead241eac25717ff5009bda36f34a0b","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850810,"event_id":5156,"process":{"thread":{"id":1380},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"System","DestAddress":"172.30.4.205","Protocol":"6","DestPort":"445","RemoteMachineID":"S-1-0-0","ProcessID":"4","SourceAddress":"172.30.4.205","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65789","SourcePort":"52469"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408872 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.541Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850817,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","DestPort":"445","RemoteMachineID":"S-1-0-0","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408873 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.544Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850825,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"6","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408874 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850832,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","Protocol":"6","RemoteMachineID":"S-1-0-0","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408875 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850846,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","RemoteMachineID":"S-1-0-0","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408876 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE4D3\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.548Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"3926ea72a6304460c46575986000e9905c6e0083f7e1ddff730ad05e4a461990","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850853,"event_id":4634,"process":{"thread":{"id":4260},"pid":692},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xcefe4d3","LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408877 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.540Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850813,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408878 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.540Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"2f94c2e7a199c62dd5415d7a40f36bdbdb929c3885c88de52aec033a6ed73596","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850814,"event_id":5156,"process":{"thread":{"id":5144},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","SourceAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408879 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.543Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850820,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","DestAddress":"fe80::8fa:3638:53e1:fb32","Application":"System","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408880 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850828,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","Protocol":"6","Application":"System","ProcessID":"4","DestAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408881 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850835,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","Application":"System","DestPort":"445","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408882 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850842,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","RemoteMachineID":"S-1-0-0","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","ProcessID":"4","DestPort":"445","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408883 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.547Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850849,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","SourceAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408884 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.551Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850856,"event_id":4703,"process":{"thread":{"id":4340},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408885 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE602\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.543Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"02150ceca25e232033053fe72a56feafa953a229933a72b97a20071042e0a395","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850821,"event_id":4672,"process":{"thread":{"id":4420},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xcefe602","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408886 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE602\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\SYSVOL\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\n\tRelative Target Name:\ttdarplatform.csoc\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\gpt.ini\n\nAccess Request Information:\n\tAccess Mask:\t\t0x120089\n\tAccesses:\t\tREAD_CONTROL\n\t\t\t\tSYNCHRONIZE\n\t\t\t\tReadData (or ListDirectory)\n\t\t\t\tReadEA\n\t\t\t\tReadAttributes\n\t\t\t\t\nAccess Check Results:\n\tREAD_CONTROL:\tGranted by Ownership\n\t\t\t\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadEA:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Detailed File Share","kind":"event","code":5145,"hash":"e47e53eb2eecfd860dea66dc2f43963da85d919aa8d85e1cad3532db6e541d9c","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850829,"event_id":5145,"process":{"thread":{"id":4340},"pid":4},"event_data":{"AccessMask":"0x120089","SubjectUserSid":"S-1-5-18","AccessList":"%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4419\n\t\t\t\t%%4423\n\t\t\t\t","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","IpAddress":"fe80::8fa:3638:53e1:fb32","ShareLocalPath":"\\??\\C:\\Windows\\SYSVOL\\sysvol","RelativeTargetName":"tdarplatform.csoc\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\gpt.ini","AccessReason":"%%1538:\t%%1804\n\t\t\t\t%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4419:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t","SubjectLogonId":"0xcefe602","ObjectType":"File","ShareName":"\\\\*\\SYSVOL","IpPort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Detailed File Share"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408887 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850836,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","Application":"System","DestPort":"445","Protocol":"6","DestAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","ProcessID":"4","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408888 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850843,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","Protocol":"6","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408889 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t360\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t2001:0:2851:782c:8fa:3638:53e1:fb32\n\tSource Port:\t\t52467\n\tDestination Address:\t2001:0:2851:782c:8fa:3638:53e1:fb32\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.547Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"07918f6be03633cee398b3cb74fe718ae0912c2744b5cd6f7d5378e19bd6fb98","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850850,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"2001:0:2851:782c:8fa:3638:53e1:fb32","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","DestPort":"389","RemoteMachineID":"S-1-0-0","DestAddress":"2001:0:2851:782c:8fa:3638:53e1:fb32","ProcessID":"360","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52467"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408890 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.551Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850857,"event_id":4703,"process":{"thread":{"id":4340},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408891 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52470\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.540Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"7ba492799a1451abfb7f3c6ecbc4a65f9c96e526821ce8a8678aba3f4df7f366","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850812,"event_id":5158,"process":{"thread":{"id":5144},"pid":4},"event_data":{"ProcessId":"4","LayerRTID":"38","LayerName":"%%14608","Application":"System","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408892 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.541Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850819,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","DestAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","Application":"System","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408893 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.544Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.230Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850827,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::8fa:3638:53e1:fb32","RemoteMachineID":"S-1-0-0","DestPort":"445","Protocol":"6","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408894 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850834,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","Protocol":"6","RemoteMachineID":"S-1-0-0","DestPort":"445","ProcessID":"4","SourceAddress":"fe80::8fa:3638:53e1:fb32","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408895 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\tDestination Address:\tfe80::8fa:3638:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.546Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d5452ad9b4e6d86daff5f653760d6d7f477926e75f84a38c5bc88f828f64e338","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850841,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"System","DestAddress":"fe80::8fa:3638:53e1:fb32","DestPort":"445","RemoteMachineID":"S-1-0-0","SourceAddress":"fe80::8fa:3638:53e1:fb32","ProcessID":"4","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"52470"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408896 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xCEFE602\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\tfe80::8fa:3638:53e1:fb32\n\tSource Port:\t\t52470\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\SYSVOL\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\n\tRelative Target Name:\ttdarplatform.csoc\\Policies\\{930F30D1-C2E1-4696-8216-1ABC37D49C64}\\gpt.ini\n\nAccess Request Information:\n\tAccess Mask:\t\t0x120089\n\tAccesses:\t\tREAD_CONTROL\n\t\t\t\tSYNCHRONIZE\n\t\t\t\tReadData (or ListDirectory)\n\t\t\t\tReadEA\n\t\t\t\tReadAttributes\n\t\t\t\t\nAccess Check Results:\n\tREAD_CONTROL:\tGranted by Ownership\n\t\t\t\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadEA:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.547Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Detailed File Share","kind":"event","code":5145,"hash":"c9f02bd29553efb91f55466cc496591069b692f76fc00105df5985ccb5da5a19","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850848,"event_id":5145,"process":{"thread":{"id":4340},"pid":4},"event_data":{"AccessMask":"0x120089","SubjectUserSid":"S-1-5-18","AccessList":"%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4419\n\t\t\t\t%%4423\n\t\t\t\t","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","ShareLocalPath":"\\??\\C:\\Windows\\SYSVOL\\sysvol","IpAddress":"fe80::8fa:3638:53e1:fb32","RelativeTargetName":"tdarplatform.csoc\\Policies\\{930F30D1-C2E1-4696-8216-1ABC37D49C64}\\gpt.ini","AccessReason":"%%1538:\t%%1804\n\t\t\t\t%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4419:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t","SubjectLogonId":"0xcefe602","ObjectType":"File","ShareName":"\\\\*\\SYSVOL","IpPort":"52470"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Detailed File Share"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408897 Key: Timestamp: 2025-12-06 11:43:59.321 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:53.550Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-06T12:07:55.231Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850855,"event_id":4703,"process":{"thread":{"id":4340},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408898 Key: Timestamp: 2025-12-06 11:44:05.329 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:59.578Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:08:01.257Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830326,"event_id":4703,"process":{"thread":{"id":4996},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408899 Key: Timestamp: 2025-12-06 11:44:05.329 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:59.576Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:08:01.257Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830324,"event_id":4703,"process":{"thread":{"id":4996},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408900 Key: Timestamp: 2025-12-06 11:44:05.329 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:59.563Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:08:01.257Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830320,"event_id":4703,"process":{"thread":{"id":4996},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408901 Key: Timestamp: 2025-12-06 11:44:05.329 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:07:59.592Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-06T12:08:01.257Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830327,"event_id":4703,"process":{"thread":{"id":4996},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408902 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2412\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t50782\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.510Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"e552128b83188fd3b4d34a57c06417fb3435b4eed935e9cd26458356f8c075a6","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830645,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","RemoteMachineID":"S-1-0-0","DestAddress":"172.30.4.206","DestPort":"53","SourceAddress":"172.30.4.206","ProcessID":"2412","Protocol":"17","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"50782"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408903 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t64587\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.512Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"84207ca3967aa1714485d90dbdb1b5b5cbcce32fb3bf3364ccc4d22f61bae72c","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830652,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"0.0.0.0","Protocol":"17","FilterRTID":"0","SourcePort":"64587"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408904 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t53653\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.514Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"36aa21affce556ff3e91d837ff5c9c58deb367d224be155caf1683c7dbb29f08","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830659,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"676","LayerName":"%%14608","SourceAddress":"0.0.0.0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","Protocol":"17","FilterRTID":"0","SourcePort":"53653"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408905 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t50782\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.510Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"e3618f14f1d089f5e8977b914e57d830420c5a0068b80d2bc0b570f7f6f2ed22","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830643,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"0.0.0.0","Protocol":"17","FilterRTID":"0","SourcePort":"50782"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408906 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t53084\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.511Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"94a696fb93151a530abdec767a4e12cfa52171886e1bc57eccf668877f4b0151","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830646,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"::","Protocol":"17","FilterRTID":"0","SourcePort":"53084"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408907 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t50821\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.511Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"7f8329c1f9e689e4957076675fda669e74001915fc667555633fc8890f55bac3","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830650,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"::","Protocol":"17","FilterRTID":"0","SourcePort":"50821"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408908 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t64587\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.512Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"5630a0cf6512d8cb11faed2d06434e59a96ee708dac925cea17c5a048f15a64e","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830653,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestAddress":"172.30.4.206","DestPort":"53","Protocol":"17","SourceAddress":"172.30.4.206","ProcessID":"676","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65789","SourcePort":"64587"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408909 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2412\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59029\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.513Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d919f88e7f9a511e9d3b162220854558a601c61352c0585beaee2ea7108a8d56","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830657,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","RemoteMachineID":"S-1-0-0","SourceAddress":"::1","DestAddress":"::1","Protocol":"17","ProcessID":"2412","DestPort":"53","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"59029"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408910 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t60869\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.514Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"d260661a9265d9b37846f974bf62dc57ee18c9cad74ec83e20ccac9de1fffc06","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830660,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"0.0.0.0","Protocol":"17","FilterRTID":"0","SourcePort":"60869"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408911 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t53084\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.511Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"c6ff2453c8a62dc9025451a30a0143bb44d2dbb04e083251e1ab0c6b22331bf9","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830648,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestAddress":"::1","DestPort":"53","Protocol":"17","RemoteMachineID":"S-1-0-0","ProcessID":"676","SourceAddress":"::1","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"53084"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408912 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59029\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.513Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"d7a2a6d2d6c436d5205f12fdc27ac8e1f4e33a60e8efafc113c013ace4186f6f","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830655,"event_id":5158,"process":{"thread":{"id":4296},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"676","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","SourceAddress":"::","Protocol":"17","FilterRTID":"0","SourcePort":"59029"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408913 Key: Timestamp: 2025-12-06 11:45:35.344 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2412\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t60869\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:29.514Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"5dcc793b050c87ec7996a455ae5a6b09510ba6052bd1868c214c4f3b27eab536","outcome":"success","created":"2025-12-06T12:09:31.267Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830662,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","DestAddress":"172.30.4.206","Protocol":"17","DestPort":"53","RemoteMachineID":"S-1-0-0","ProcessID":"2412","SourceAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"60869"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408914 Key: Timestamp: 2025-12-06 11:45:36.348 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.254\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.1\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:30.413Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"32be4e7bd564687a554f50e5cb0aa419311d6f01b77114a69558b50c8f05a6b3","outcome":"success","created":"2025-12-06T12:09:32.274Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830663,"event_id":5156,"process":{"thread":{"id":4296},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.254","RemoteMachineID":"S-1-0-0","DestPort":"0","Protocol":"2","Application":"System","ProcessID":"4","DestAddress":"224.0.0.1","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408915 Key: Timestamp: 2025-12-06 11:45:38.212 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:32.614Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"bd436a530a161ef3e6f3cab55e46e8d6434f5893be45471484a419b558becfc4","outcome":"success","created":"2025-12-06T12:09:34.126Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850976,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.205","DestAddress":"224.0.0.251","Protocol":"2","RemoteMachineID":"S-1-0-0","Application":"System","ProcessID":"4","DestPort":"0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408916 Key: Timestamp: 2025-12-06 11:45:38.212 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:32.614Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"545161f1bc97c75d6e1f1c2b2f21cd228b666f634c2648968175d61da9f8df31","outcome":"success","created":"2025-12-06T12:09:34.126Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850977,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","DestAddress":"224.0.0.251","DestPort":"0","ProcessID":"4","SourceAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408917 Key: Timestamp: 2025-12-06 11:45:38.212 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:32.614Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"b8ecff2fa088e69d7d4f8e9f8aad751d4ef71e9e80e2a4bc5c4976cd8be8809b","outcome":"success","created":"2025-12-06T12:09:34.126Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850978,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.205","DestAddress":"239.255.255.250","RemoteMachineID":"S-1-0-0","DestPort":"0","Protocol":"2","ProcessID":"4","Application":"System","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408918 Key: Timestamp: 2025-12-06 11:45:38.212 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:33.118Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","outcome":"success","created":"2025-12-06T12:09:34.126Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850979,"event_id":5156,"process":{"thread":{"id":4340},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","SourceAddress":"172.30.4.205","DestPort":"0","Protocol":"2","RemoteMachineID":"S-1-0-0","ProcessID":"4","DestAddress":"224.0.0.252","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408919 Key: Timestamp: 2025-12-06 11:45:39.227 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t52478\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:33.967Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"ce8da64a201063d22c881ea274f424c12cce8a3cf042790e15db579d9aa8b9cf","outcome":"success","created":"2025-12-06T12:09:35.140Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850980,"event_id":5158,"process":{"thread":{"id":5864},"pid":4},"event_data":{"ProcessId":"2480","LayerRTID":"38","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"52478"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408920 Key: Timestamp: 2025-12-06 11:45:39.227 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t52478\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67828\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:33.967Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"efe7e8d867b629022cc05f2ed7d2fe612e5eee5f57f310eb7c39c1d12c5836e8","outcome":"success","created":"2025-12-06T12:09:35.140Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850981,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::cd46:3442:b9b4:26f4","RemoteMachineID":"S-1-0-0","Protocol":"6","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","ProcessID":"2480","DestPort":"53011","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67828","SourcePort":"52478"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408921 Key: Timestamp: 2025-12-06 11:45:39.359 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t52478\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66908\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:33.974Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"6d7f4bc00666457656659c5b059729d573799596646a9199bbeb1727b1e57860","outcome":"success","created":"2025-12-06T12:09:35.283Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830664,"event_id":5156,"process":{"thread":{"id":1300},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","RemoteMachineID":"S-1-0-0","DestPort":"53011","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"2460","Protocol":"6","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66908","SourcePort":"52478"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408922 Key: Timestamp: 2025-12-06 11:45:39.359 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1104\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xDD72050\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{3CA5EA31-F1C6-E065-C37D-2D2D864B5A7C}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t52478\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:33.976Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"0b0c0f592758f927a56597ca865ca578d896cc9028f3131adce8b54392d7829c","outcome":"success","created":"2025-12-06T12:09:35.283Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830665,"event_id":4624,"process":{"thread":{"id":4672},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{3CA5EA31-F1C6-E065-C37D-2D2D864B5A7C}","ImpersonationLevel":"%%1833","TargetLogonId":"0xdd72050","SubjectLogonId":"0x0","IpPort":"52478","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1104","LmPackageName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","TargetOutboundDomainName":"-","ProcessName":"-","KeyLength":"0","LogonType":"3","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408923 Key: Timestamp: 2025-12-06 11:45:41.246 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t52479\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:35.833Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"be5599b8ffe3a393f764659d979b17144ff8590261969f189b1a1afe398b628c","outcome":"success","created":"2025-12-06T12:09:37.167Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850982,"event_id":5158,"process":{"thread":{"id":5864},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2392","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"52479"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408924 Key: Timestamp: 2025-12-06 11:45:41.246 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t52479\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:35.834Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"583088cd787690415183fc05b7ab56392480dc51e92a184048dbd6615344e228","outcome":"success","created":"2025-12-06T12:09:37.167Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":173850983,"event_id":5156,"process":{"thread":{"id":5864},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"172.30.4.205","Protocol":"6","DestPort":"1514","RemoteMachineID":"S-1-0-0","ProcessID":"2392","DestAddress":"172.30.2.163","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"52479"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408925 Key: Timestamp: 2025-12-06 11:45:41.375 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:35.791Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ffd3ac094d35d7eb47fadbc9784a53dc3656eb785ba824f31e27cb962b13d1ff","outcome":"success","created":"2025-12-06T12:09:37.291Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830668,"event_id":5156,"process":{"thread":{"id":1368},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","DestPort":"0","Application":"System","DestAddress":"224.0.0.251","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1408926 Key: Timestamp: 2025-12-06 11:45:41.375 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-06T12:09:35.791Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ad6d351b0a9c5927c7b59faad35f3f79c33fe6d7ede0999c7ffa9541b78369e6","outcome":"success","created":"2025-12-06T12:09:37.291Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":224830667,"event_id":5156,"process":{"thread":{"id":1368},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","DestPort":"0","DestAddress":"224.0.0.251","Protocol":"2","ProcessID":"4","Application":"System","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}