Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 1455992 Last Offset: 1487341 Size: 31349

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 1455992 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.216Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279535,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455993 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF79B78\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.224Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"65739097928905067f197d6d5c768395181fc0f3e92b6ccbfac859ca386fc3e9","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279549,"event_id":4672,"process":{"thread":{"id":1936},"pid":676},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xef79b78","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455994 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.220Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279537,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455995 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF79B78\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.225Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"70d391b3d66acef628ba1b845c079b6b61b44cf784038a129542c7b065772187","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279552,"event_id":4634,"process":{"thread":{"id":2092},"pid":676},"event_data":{"LogonType":"3","TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xef79b78","TargetUserName":"W2016AD-N25$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455996 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.243Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279544,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455997 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59818\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.222Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"31bceb9d6601488e161d1c2571aab9bdce8b7c16d67af5d9120cd2fcbbf02f21","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279548,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"::1","DestAddress":"::1","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"389","ProcessID":"676","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"59818"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455998 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.231Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279540,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1455999 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.217Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279536,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456000 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.232Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279541,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456001 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.244Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279545,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456002 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF79B78\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t59818\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.224Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"0866d97987d6001deedbf6d8f5c1d63f242e6d3369a47815d851676d57199078","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279550,"event_id":4624,"process":{"thread":{"id":1936},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"W2016AD-N25$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"::1","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef79b78","SubjectLogonId":"0x0","IpPort":"59818","TargetUserSid":"S-1-5-18","TargetOutboundDomainName":"-","ProcessName":"-","SubjectUserSid":"S-1-0-0","ProcessId":"0x0","LmPackageName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456003 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.243Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279542,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456004 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:47.243Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:54:48.517Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279543,"event_id":4703,"process":{"thread":{"id":5100},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456005 Key: Timestamp: 2025-12-09 03:30:49.129 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59818\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.222Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"1c73206086e4d9e792b9b0b0c4209be31bd40954bd3abbcf0ccf6af3722b8838","outcome":"success","created":"2025-12-09T03:54:48.518Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225279547,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"::1","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","DestPort":"389","Protocol":"6","ProcessID":"3696","DestAddress":"::1","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"59818"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456006 Key: Timestamp: 2025-12-09 03:30:51.011 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t936\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61780\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t135\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.942Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"7f3530f1ec48a206f356ace3c14f9c1e76578689e51d64eb7dfc316b13b770cd","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329903,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","RemoteMachineID":"S-1-0-0","DestPort":"135","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","DestAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"936","Protocol":"6","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"61780"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456007 Key: Timestamp: 2025-12-09 03:30:51.011 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xDFFA5D5\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.978Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"bfebaa1379bcfc0cf8bed17d4c64f3d1f0bf26ca979638ee67835d0b9a3c16bf","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329911,"event_id":4634,"process":{"thread":{"id":4420},"pid":692},"event_data":{"TargetLogonId":"0xdffa5d5","LogonType":"3","TargetDomainName":"TDARPLATFORM","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456008 Key: Timestamp: 2025-12-09 03:30:51.011 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61782\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.980Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"79f17ddea9e15ad7cfe0dae526933fccc8d7d90f45dc07e3d62b7948d61e454a","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329914,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestAddress":"fe80::6c1c:1afd:b16:ecb9","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"389","ProcessID":"692","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"61782"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456009 Key: Timestamp: 2025-12-09 03:30:51.011 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t62507\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t49669\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.943Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"61015a92c16ba9ea93842c0c7e64485e6438c6565be73e2f65abc9fe531603ef","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329904,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::6c1c:1afd:b16:ecb9","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestPort":"49669","Protocol":"6","ProcessID":"692","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"62507"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456010 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t61782\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.979Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"831eb9ebe5c7c9e3ba3dd28942f73b569b423ea29330e7c1633bbeac0de6beb2","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329912,"event_id":5158,"process":{"thread":{"id":3764},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"61782"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456011 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t60416\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.940Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"fa39eed75a306ab0b5fcdf4106ba561cfe6a7bc3306ddc628aa3ab5c5ee8920b","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329900,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestPort":"389","Protocol":"6","ProcessID":"692","DestAddress":"fe80::6c1c:1afd:b16:ecb9","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"60416"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456012 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xDFFA64F\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.981Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"f40a5e789c10664fe8072b1182e11653652452893ca95adc1d7b6045e4c982ae","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329915,"event_id":4672,"process":{"thread":{"id":4888},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xdffa64f","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456013 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t61781\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"29051b165c9483a26c63132066a61da662a3b5ae3c84df123ecbd825f5276b9b","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329905,"event_id":5158,"process":{"thread":{"id":3764},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"61781"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456014 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61781\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"e9496f36f2c7063fc7739be544929ca7f0aa835515f89f66fde623e3302d7e3a","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329906,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","RemoteMachineID":"S-1-0-0","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestPort":"389","DestAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"2480","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"61781"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456015 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t692\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61781\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ea229e4c2befd4a37de5c4507c89f81654fe9c1f0364529aa64c10ca1ea54a25","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329907,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","DestPort":"389","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"692","Protocol":"6","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"61781"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456016 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xDFFA5D5\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.972Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"39db5f0ba58e64e92f3fc63402187a48bae889603000fbbcb729cb4369597b07","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329908,"event_id":4672,"process":{"thread":{"id":5192},"pid":692},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xdffa5d5","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456017 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61782\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.980Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"586d211508a8b11445d525534de47493c52bf2c660f82f83d3043eefe391bba3","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329913,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::6c1c:1afd:b16:ecb9","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","ProcessID":"2480","DestPort":"389","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"61782"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456018 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61780\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t135\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.942Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"e47eb93ccf2bf9efae6c84a68d5c10cd7674d2cd5b7ed46c08bd17d74c62ee2b","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329902,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","Protocol":"6","DestPort":"135","RemoteMachineID":"S-1-0-0","ProcessID":"2480","DestAddress":"fe80::6c1c:1afd:b16:ecb9","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"61780"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456019 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xDFFA5D5\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{6A75CB6E-BE25-A65F-629A-5616EAFD4D81}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61781\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.972Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"3734a44426ad2c4dab2e0b0f2c5898583b5cec5f5d90799058b91aab46bf29bc","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329909,"event_id":4624,"process":{"thread":{"id":5192},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{6A75CB6E-BE25-A65F-629A-5616EAFD4D81}","ImpersonationLevel":"%%1833","TargetLogonId":"0xdffa5d5","SubjectLogonId":"0x0","IpPort":"61781","TargetUserSid":"S-1-5-18","TargetOutboundDomainName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","LmPackageName":"-","ProcessName":"-","KeyLength":"0","LogonType":"3","TargetDomainName":"TDARPLATFORM.CSOC","TargetLinkedLogonId":"0x0","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456020 Key: Timestamp: 2025-12-09 03:30:51.012 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xDFFA64F\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.987Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"2b2306ddf60849e8cc37b3bb92d09c9173b087201748fc2234d8ce6bbf192db5","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329918,"event_id":4634,"process":{"thread":{"id":4260},"pid":692},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xdffa64f","LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456021 Key: Timestamp: 2025-12-09 03:30:51.013 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t61780\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.942Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"8209df596e0c7155c0d661349eb55017f167f3f18932bd450d1c234fbdcdce77","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329901,"event_id":5158,"process":{"thread":{"id":3764},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"61780"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456022 Key: Timestamp: 2025-12-09 03:30:51.013 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xDFFA64F\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{6A75CB6E-BE25-A65F-629A-5616EAFD4D81}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61782\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:48.981Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"e512ed17d40d9b378e5d3377ccef6d14eb3af4980378c04dc265007cc5c068a8","outcome":"success","created":"2025-12-09T03:54:50.381Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329916,"event_id":4624,"process":{"thread":{"id":4888},"pid":692},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","TargetOutboundUserName":"-","LogonGuid":"{6A75CB6E-BE25-A65F-629A-5616EAFD4D81}","ImpersonationLevel":"%%1833","TargetLogonId":"0xdffa64f","SubjectLogonId":"0x0","IpPort":"61782","TargetUserSid":"S-1-5-18","LmPackageName":"-","ProcessId":"0x0","ProcessName":"-","SubjectUserSid":"S-1-0-0","TargetOutboundDomainName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456023 Key: Timestamp: 2025-12-09 03:30:53.024 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61779\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:54:51.207Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"0c5ff769b61a37e7494e0defc4a3b0e4ec7bfd5702141c5ab10b4bdfcf1f694e","outcome":"failure","created":"2025-12-09T03:54:52.394Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174329919,"event_id":5152,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.205","Application":"-","DestPort":"61779","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456024 Key: Timestamp: 2025-12-09 03:35:40.521 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59845\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:38.110Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"ff05e0668dc260e21a3efd01474684ef4e8b71eb4e590c49202ec28553e494ef","outcome":"success","created":"2025-12-09T03:59:39.917Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280036,"event_id":5158,"process":{"thread":{"id":4908},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2460","LayerName":"%%14608","SourceAddress":"0.0.0.0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","Protocol":"6","FilterRTID":"0","SourcePort":"59845"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456025 Key: Timestamp: 2025-12-09 03:35:40.521 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59845\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t62510\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67659\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:38.110Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"5db04dc58f63f042f9cc66e7a5ad8723263fb82137ec44a8c21305c60c79e8ba","outcome":"success","created":"2025-12-09T03:59:39.917Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280037,"event_id":5156,"process":{"thread":{"id":4908},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","DestAddress":"172.30.4.205","DestPort":"62510","Protocol":"6","ProcessID":"2460","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67659","SourcePort":"59845"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456026 Key: Timestamp: 2025-12-09 03:35:40.521 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:38.798Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"870d25250e08accc62aff130fee422a198bea2d662e6b875ec26ae07e4aaefb9","outcome":"success","created":"2025-12-09T03:59:39.917Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280038,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.206","DestAddress":"224.0.0.252","Protocol":"2","DestPort":"0","RemoteMachineID":"S-1-0-0","ProcessID":"4","Application":"System","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456027 Key: Timestamp: 2025-12-09 03:35:42.542 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59846\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:40.974Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"588b24244c02c61f182e7412d2be83d29983e8da5cbc2c4ebe51db0a7e439dbf","outcome":"success","created":"2025-12-09T03:59:41.937Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280040,"event_id":5158,"process":{"thread":{"id":5100},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2420","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"59846"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456028 Key: Timestamp: 2025-12-09 03:35:42.542 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59846\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1515\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:40.974Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"3a320d7b6f62f4dbfc91731d22b64708c6627e3924d398fd89764f9f4b2981c4","outcome":"success","created":"2025-12-09T03:59:41.937Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280041,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.206","DestAddress":"172.30.2.163","DestPort":"1515","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","Protocol":"6","ProcessID":"2420","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59846"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456029 Key: Timestamp: 2025-12-09 03:35:42.542 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59846\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:41.580Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"a94b8136ce3efa08205dd31cd6462c469866357a4af85d5eda34a30a5dd56ccd","outcome":"failure","created":"2025-12-09T03:59:41.937Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280042,"event_id":5152,"process":{"thread":{"id":4832},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","DestAddress":"172.30.4.206","Protocol":"6","DestPort":"59846","SourceAddress":"172.30.2.163","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1515"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456030 Key: Timestamp: 2025-12-09 03:35:42.542 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:40.790Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"fa3fdde9c098dcbb48204031b7a11321d32152e29e7222facf92e07b9875bed1","outcome":"success","created":"2025-12-09T03:59:41.937Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280039,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.206","ProcessID":"4","DestPort":"0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456031 Key: Timestamp: 2025-12-09 03:35:43.506 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61808\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:41.570Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"d318538df215159429dac0129fa98b2c7ac3dd6467637cb7497bb7cf6d92464b","outcome":"failure","created":"2025-12-09T03:59:42.881Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330466,"event_id":5152,"process":{"thread":{"id":3152},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.2.163","Application":"-","Protocol":"6","DestAddress":"172.30.4.205","DestPort":"61808","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456032 Key: Timestamp: 2025-12-09 03:35:45.566 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t52345\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.171Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"5cc9381f069c9ec09264626bc6daf8175327c082ba1d5ae94c3065a113e5af6a","outcome":"success","created":"2025-12-09T03:59:44.954Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280043,"event_id":5156,"process":{"thread":{"id":5100},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"::1","DestAddress":"::1","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","Protocol":"6","RemoteMachineID":"S-1-0-0","ProcessID":"676","DestPort":"389","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"52345"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456033 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.928Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330468,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456034 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.930Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330470,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456035 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.927Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330467,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456036 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.931Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330471,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456037 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.929Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330469,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456038 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.932Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330472,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456039 Key: Timestamp: 2025-12-09 03:35:46.520 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:43.937Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:59:45.908Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330473,"event_id":4703,"process":{"thread":{"id":2664},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456040 Key: Timestamp: 2025-12-09 03:35:49.621 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.367Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280046,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456041 Key: Timestamp: 2025-12-09 03:35:49.621 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280052,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456042 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.366Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.001Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280045,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456043 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280054,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456044 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.369Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280047,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456045 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.392Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280055,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456046 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.378Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280048,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456047 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.378Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280049,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456048 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.379Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280050,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456049 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.380Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280051,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456050 Key: Timestamp: 2025-12-09 03:35:49.621 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59846\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:46.980Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"a94b8136ce3efa08205dd31cd6462c469866357a4af85d5eda34a30a5dd56ccd","outcome":"failure","created":"2025-12-09T03:59:49.001Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280044,"event_id":5152,"process":{"thread":{"id":4908},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.206","DestPort":"59846","Protocol":"6","SourceAddress":"172.30.2.163","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1515"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456051 Key: Timestamp: 2025-12-09 03:35:49.622 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:47.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:59:49.002Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280053,"event_id":4703,"process":{"thread":{"id":4908},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456052 Key: Timestamp: 2025-12-09 03:35:50.633 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF7F3CC\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t59847\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:48.274Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"5eedb3683e0192f2934d7801135d576694e467b25a57b6e0240650484268e447","outcome":"success","created":"2025-12-09T03:59:50.028Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280060,"event_id":4624,"process":{"thread":{"id":1936},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"W2016AD-N25$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"::1","TargetOutboundUserName":"-","LogonGuid":"{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef7f3cc","SubjectLogonId":"0x0","IpPort":"59847","TargetUserSid":"S-1-5-18","TargetOutboundDomainName":"-","ProcessName":"-","SubjectUserSid":"S-1-0-0","ProcessId":"0x0","LmPackageName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456053 Key: Timestamp: 2025-12-09 03:35:50.633 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF7F3CC\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:48.274Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"ef72ab69873c972b5563888cb5565e0e72a8ac477e19586383ca6ced58ec8733","outcome":"success","created":"2025-12-09T03:59:50.028Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280059,"event_id":4672,"process":{"thread":{"id":1936},"pid":676},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xef7f3cc","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456054 Key: Timestamp: 2025-12-09 03:35:50.634 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61811\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66908\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:49.157Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"3c456230203d51a62c9468538d49f28d1252858a919ce366db612e8626f6dfa7","outcome":"success","created":"2025-12-09T03:59:50.028Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280063,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::cd46:3442:b9b4:26f4","DestPort":"53011","Protocol":"6","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","ProcessID":"2460","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66908","SourcePort":"61811"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456055 Key: Timestamp: 2025-12-09 03:35:50.634 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF7F3CC\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:48.275Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"69b50d71ff5ceb9cf466a94fdd7ebd6fa5046b35cea629aeb59c9733bbce91dd","outcome":"success","created":"2025-12-09T03:59:50.028Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280062,"event_id":4634,"process":{"thread":{"id":1012},"pid":676},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xef7f3cc","LogonType":"3","TargetUserName":"W2016AD-N25$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456056 Key: Timestamp: 2025-12-09 03:35:50.633 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59847\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:59:48.272Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"a071d589458449d3e07b99537be269f65eb3e97687ca0d8493181a941f8992c8","outcome":"success","created":"2025-12-09T03:59:50.028Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280058,"event_id":5156,"process":{"thread":{"id":4908},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"389","SourceAddress":"::1","ProcessID":"676","DestAddress":"::1","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"59847"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456057 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.747Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330537,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456058 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.748Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330538,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456059 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.733Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330535,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456060 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.761Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330540,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456061 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.762Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330541,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456062 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61815\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.620Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"164b11a1926a443ccbfd003213fc763b229fed25ef0b7dfb8ca033997ca2dcfc","outcome":"failure","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330532,"event_id":5152,"process":{"thread":{"id":3156},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.205","DestPort":"61815","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456063 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.729Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330533,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456064 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.730Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330534,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456065 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.749Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330539,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456066 Key: Timestamp: 2025-12-09 03:36:39.910 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.762Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330542,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456067 Key: Timestamp: 2025-12-09 03:36:39.911 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.747Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.297Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330536,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456068 Key: Timestamp: 2025-12-09 03:36:39.911 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:37.763Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T04:00:39.298Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330543,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456069 Key: Timestamp: 2025-12-09 03:36:42.105 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t1084\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t123\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t123\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:40.472Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"6a34c65b11173004516ebbfbccdb2756c533a7a9847eb5c87c61dc83a0cb4556","outcome":"success","created":"2025-12-09T04:00:41.498Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280106,"event_id":5156,"process":{"thread":{"id":212},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.205","RemoteMachineID":"S-1-0-0","DestPort":"123","Protocol":"17","DestAddress":"172.30.4.206","ProcessID":"1084","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"123"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456070 Key: Timestamp: 2025-12-09 03:36:42.921 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t1116\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t123\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t123\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:40.461Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"01c5785960d4d19ba2842f963d2769b68753d70fa420b359bbffef7f6065cef1","outcome":"success","created":"2025-12-09T04:00:42.303Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330544,"event_id":5156,"process":{"thread":{"id":3156},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.205","RemoteMachineID":"S-1-0-0","Protocol":"17","DestAddress":"172.30.4.206","DestPort":"123","ProcessID":"1116","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"123"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456071 Key: Timestamp: 2025-12-09 03:36:42.921 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An operation was performed on an object.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E5\n\nObject:\n\tObject Server:\t\tLSA\n\tObject Type:\t\tSecretObject\n\tObject Name:\t\tPolicy\\Secrets\\$MACHINE.ACC\n\tHandle ID:\t\t0x27cecd60650\n\nOperation:\n\tOperation Type:\t\tQuery\n\tAccesses:\t\tQuery secret value\n\t\t\t\t\n\tAccess Mask:\t\t0x2\n\tProperties:\t\t-\n\nAdditional Information:\n\tParameter 1:\t\t-\n\tParameter 2:\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:40.481Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Object Access Events","kind":"event","code":4662,"hash":"9a63328707ff586875cf25d174e51e4733cabdf8092f43964d50025fc2de7b0c","outcome":"success","created":"2025-12-09T04:00:42.303Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330545,"event_id":4662,"process":{"thread":{"id":4420},"pid":692},"event_data":{"SubjectUserSid":"S-1-5-19","AccessMask":"0x2","HandleId":"0x27cecd60650","Properties":"-","AccessList":"%%5649\n\t\t\t\t","SubjectDomainName":"NT AUTHORITY","ObjectServer":"LSA","SubjectUserName":"LOCAL SERVICE","OperationType":"Query","AdditionalInfo":"-","SubjectLogonId":"0x3e5","ObjectType":"SecretObject","ObjectName":"Policy\\Secrets\\$MACHINE.ACC","AdditionalInfo2":"-"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Other Object Access Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456072 Key: Timestamp: 2025-12-09 03:36:45.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59850\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:43.039Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"c8a81931c4dc8579a5cfb6b2eddf2ae9ccbd956ce5fba318500ed48e06438aa8","outcome":"success","created":"2025-12-09T04:00:44.529Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280108,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"1514","SourceAddress":"172.30.4.206","ProcessID":"2420","DestAddress":"172.30.2.163","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59850"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456073 Key: Timestamp: 2025-12-09 03:36:45.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59850\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:43.641Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"b66731d3cf24bc63c02002f90e2d9935868a6d34418fcfc169bce99d37831fa0","outcome":"failure","created":"2025-12-09T04:00:44.529Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280109,"event_id":5152,"process":{"thread":{"id":1328},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","DestPort":"59850","DestAddress":"172.30.4.206","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456074 Key: Timestamp: 2025-12-09 03:36:45.133 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59850\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:43.039Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"1df9d6889eec726af19cd074b28923b2227d70e5804f5afb851b9d68751db113","outcome":"success","created":"2025-12-09T04:00:44.529Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280107,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2420","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"59850"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456075 Key: Timestamp: 2025-12-09 03:36:45.931 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61815\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:43.632Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"164b11a1926a443ccbfd003213fc763b229fed25ef0b7dfb8ca033997ca2dcfc","outcome":"failure","created":"2025-12-09T04:00:45.321Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174330546,"event_id":5152,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","DestPort":"61815","Protocol":"6","DestAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456076 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.405Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280114,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456077 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59851\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:48.282Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"91e0ebd245da4942348bbe0737a9c8a81ac485cf2e3891ec73bb6b3b6cf259fa","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280121,"event_id":5158,"process":{"thread":{"id":212},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"3696","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"59851"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456078 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.405Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280113,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456079 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.419Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280120,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456080 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.406Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280115,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456081 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59851\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:48.282Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"9e8339cd7cc86d341bd10499d04cb4bd88b72e269c374f4493dbdda834f74577","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280122,"event_id":5156,"process":{"thread":{"id":212},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","RemoteMachineID":"S-1-0-0","DestPort":"389","SourceAddress":"::1","DestAddress":"::1","ProcessID":"3696","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"59851"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456082 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.407Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280116,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456083 Key: Timestamp: 2025-12-09 03:36:50.185 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59851\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:48.283Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"efc0221649a558bbd0436f78df16594fa200a3fe5de3eae07ce0246bf1e36b03","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280123,"event_id":5156,"process":{"thread":{"id":212},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","DestAddress":"::1","DestPort":"389","Protocol":"6","SourceAddress":"::1","ProcessID":"676","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"59851"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456084 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.391Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.576Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280110,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456085 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.392Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.576Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280111,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456086 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.418Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280118,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456087 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF8092D\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t59851\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:48.284Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"8c77046bceec44588a6a7f38ebaf601d7c2e072a2563b35a0535a720b2e1db15","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280125,"event_id":4624,"process":{"thread":{"id":1936},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"W2016AD-N25$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"::1","TargetOutboundUserName":"-","LogonGuid":"{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef8092d","SubjectLogonId":"0x0","IpPort":"59851","TargetUserSid":"S-1-5-18","LmPackageName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","TargetOutboundDomainName":"-","ProcessName":"-","KeyLength":"0","TargetDomainName":"TDARPLATFORM.CSOC","TargetLinkedLogonId":"0x0","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456088 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:47.418Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280117,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456089 Key: Timestamp: 2025-12-09 03:36:50.186 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF8092D\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:00:48.284Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"30294eade3425b03d3040c15a14fb46ae0280b2f812f8a8f8a836010656b58c1","outcome":"success","created":"2025-12-09T04:00:49.577Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280124,"event_id":4672,"process":{"thread":{"id":1936},"pid":676},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xef8092d","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456090 Key: Timestamp: 2025-12-09 03:37:49.743 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1268\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{CFB2268A-9A6D-4DB3-A243-6792AC730BDD}\n\tName:\t\tFile Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t887966\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:01:48.972Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"0566452d43b80502d68794ca1c169adbd4472dc2d555b3f10db85baf0f043b0a","outcome":"success","created":"2025-12-09T04:01:49.105Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280234,"event_id":5447,"process":{"thread":{"id":2092},"pid":676},"event_data":{"ProcessId":"1268","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{CFB2268A-9A6D-4DB3-A243-6792AC730BDD}","LayerId":"42","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Weight":"10376293541528731616","Action":"%%16390","FilterId":"887966","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","FilterType":"%%16388","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","ProviderName":"Microsoft Corporation","LayerName":"ALE Listen v6 Layer","UserSid":"S-1-5-19","CalloutKey":"{00000000-0000-0000-0000-000000000000}","CalloutName":"-","ChangeType":"%%16384","FilterName":"File Replication (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}

Offset: 1456091 Key: Timestamp: 2025-12-09 03:37:49.743 Headers: empty

{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1268\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nFilter Information:\n\tID:\t\t{7D3854FE-39B3-498B-8150-4CD2BA6BE8D6}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t887973\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T04:01:48.973Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"421c40188a92273edf0f8f30fc8813f9da6b5044390aa5a43e38917cfad1b494","outcome":"success","created":"2025-12-09T04:01:49.105Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225280241,"event_id":5447,"process":{"thread":{"id":2092},"pid":676},"event_data":{"ProcessId":"1268","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{7D3854FE-39B3-498B-8150-4CD2BA6BE8D6}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Weight":"10376540038224674816","LayerId":"46","Action":"%%16390","FilterId":"887973","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerName":"ALE Receive/Accept v6 Layer","UserSid":"S-1-5-19","ProviderName":"Microsoft Corporation","CalloutName":"-","ChangeType":"%%16384","FilterName":"Active Directory Domain Controller (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}