Topic Messages: logstash-local-windows

First Offset: 524290  Last Offset: 554619  Size: 30329
  
  
  
  
  
  
Offset: 524290   Key:   Timestamp: 2025-12-09 02:51:49.208 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.254\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.1\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66964\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:46.673Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d0ccaf881b6040de72d710aa2765bc2d718f29eecc839bc3fcc5f70a7a58be86","outcome":"success","created":"2025-12-09T03:15:48.562Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174324996,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","DestAddress":"224.0.0.1","DestPort":"0","RemoteMachineID":"S-1-0-0","SourceAddress":"172.30.4.254","Protocol":"2","ProcessID":"4","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66964","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524291   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59610\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.769Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"19207049785efa5d02f462a44dcb85865a7430860c514d6d8e8660e46bf31c19","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275217,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"ProcessId":"3696","LayerRTID":"38","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"59610"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524292   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59610\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.769Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"df93d2e34b55d9b8f217447d865fe91f1b1bfcece2458e4b74937e6efd2f80a0","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275218,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","RemoteMachineID":"S-1-0-0","DestPort":"389","SourceAddress":"::1","DestAddress":"::1","ProcessID":"3696","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"59610"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524293   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t676\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59610\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.769Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"7b452c13e6551ea9327762ab26b08289dc5a36cfd8bad623ebc1d6fa286609c4","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275219,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteMachineID":"S-1-0-0","Protocol":"6","SourceAddress":"::1","DestAddress":"::1","ProcessID":"676","DestPort":"389","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"59610"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524294   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF4BD26\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.770Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon","kind":"event","code":4672,"hash":"585927c643bd0a470de5c992d79cc82afb3ff55b2a5bc7f4bb4bd3931d2379c5","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275220,"event_id":4672,"process":{"thread":{"id":1936},"pid":676},"event_data":{"PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0xef4bd26","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Special Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524295   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF4BD26\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t59610\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.770Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"a40f330b7cba2482737266dda4552090a5d95a8c62b351d45588398ae27253c6","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275221,"event_id":4624,"process":{"thread":{"id":1936},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"W2016AD-N25$","LogonProcessName":"Kerberos","SubjectDomainName":"-","SubjectUserName":"-","IpAddress":"::1","TargetOutboundUserName":"-","LogonGuid":"{990C0ED2-DD0D-1C44-977C-3A828AEF68B2}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef4bd26","SubjectLogonId":"0x0","IpPort":"59610","TargetUserSid":"S-1-5-18","LmPackageName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","TargetOutboundDomainName":"-","ProcessName":"-","KeyLength":"0","TargetDomainName":"TDARPLATFORM.CSOC","TargetLinkedLogonId":"0x0","LogonType":"3","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524296   Key:   Timestamp: 2025-12-09 02:51:49.673 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xEF4BD26\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:47.772Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"d80502019c01d813548f641f4be19a80379bc529c59dc74485e6f14233105613","outcome":"success","created":"2025-12-09T03:15:49.020Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275223,"event_id":4634,"process":{"thread":{"id":2092},"pid":676},"event_data":{"TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xef4bd26","LogonType":"3","TargetUserName":"W2016AD-N25$","TargetUserSid":"S-1-5-18"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524297   Key:   Timestamp: 2025-12-09 02:51:50.227 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t61542\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"8a0a8cc894d6a6a6d0964a391a9c4a002f3fe379fd9dbb9c079b1ddf68ca2317","outcome":"success","created":"2025-12-09T03:15:49.568Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174324999,"event_id":5158,"process":{"thread":{"id":1884},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","SourceAddress":"::","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","Protocol":"6","FilterRTID":"0","SourcePort":"61542"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524298   Key:   Timestamp: 2025-12-09 02:51:50.227 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.043Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"b8ecff2fa088e69d7d4f8e9f8aad751d4ef71e9e80e2a4bc5c4976cd8be8809b","outcome":"success","created":"2025-12-09T03:15:49.568Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174324998,"event_id":5156,"process":{"thread":{"id":1884},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.205","DestPort":"0","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524299   Key:   Timestamp: 2025-12-09 02:51:50.227 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61542\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67828\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.970Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ec4bb9dac3b0b9ed1245ff49d26a490ca0453144b8ddac746d8ad7d2daa82349","outcome":"success","created":"2025-12-09T03:15:49.568Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325000,"event_id":5156,"process":{"thread":{"id":1884},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","DestAddress":"fe80::cd46:3442:b9b4:26f4","DestPort":"53011","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","Protocol":"6","ProcessID":"2480","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67828","SourcePort":"61542"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524300   Key:   Timestamp: 2025-12-09 02:51:50.227 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.043Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"a6c573cd66036ea43b728ee106dbf5765eee7e64a6f5c4053e9ae104f0096e99","outcome":"success","created":"2025-12-09T03:15:49.567Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174324997,"event_id":5156,"process":{"thread":{"id":1884},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.205","RemoteMachineID":"S-1-0-0","Application":"System","DestAddress":"239.255.255.250","DestPort":"0","ProcessID":"4","Protocol":"2","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524301   Key:   Timestamp: 2025-12-09 02:51:50.679 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.796Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"61159795b4f08a5ec31c3913d4a7e74ddac5f6d8b28bbf88b03d46f6a1b5e223","outcome":"success","created":"2025-12-09T03:15:50.030Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275224,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"System","DestAddress":"239.255.255.250","DestPort":"0","Protocol":"2","SourceAddress":"172.30.4.206","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524302   Key:   Timestamp: 2025-12-09 02:51:50.680 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.796Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"fa3fdde9c098dcbb48204031b7a11321d32152e29e7222facf92e07b9875bed1","outcome":"success","created":"2025-12-09T03:15:50.030Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275225,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","DestPort":"0","Application":"System","Protocol":"2","ProcessID":"4","DestAddress":"239.255.255.250","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524303   Key:   Timestamp: 2025-12-09 02:51:50.680 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2460\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61542\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t66908\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.969Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"f5b8705dfd827323472673a17e18c6ad064658537a25473938b401d2128e75c0","outcome":"success","created":"2025-12-09T03:15:50.031Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275226,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","RemoteMachineID":"S-1-0-0","Protocol":"6","DestPort":"53011","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","ProcessID":"2460","DestAddress":"fe80::cd46:3442:b9b4:26f4","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66908","SourcePort":"61542"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524304   Key:   Timestamp: 2025-12-09 02:51:50.680 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1104\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF4BD51\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{BEE7F115-DF2F-432F-AD94-180C2C90F693}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61542\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:48.971Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"113a1fde91f7434fb4742eb0caca8de70f9c7f6e370c273450b1cbaaafe88baf","outcome":"success","created":"2025-12-09T03:15:50.031Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275227,"event_id":4624,"process":{"thread":{"id":4560},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{BEE7F115-DF2F-432F-AD94-180C2C90F693}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef4bd51","SubjectLogonId":"0x0","IpPort":"61542","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1104","TargetOutboundDomainName":"-","ProcessId":"0x0","ProcessName":"-","LmPackageName":"-","SubjectUserSid":"S-1-0-0","KeyLength":"0","LogonType":"3","TargetLinkedLogonId":"0x0","TargetDomainName":"TDARPLATFORM.CSOC","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524305   Key:   Timestamp: 2025-12-09 02:51:52.684 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59609\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:50.111Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"8d25835a0abda8685fdf4ee7c165d9d8b4eeb5a87e3624b0709d7fb91d61a5c3","outcome":"failure","created":"2025-12-09T03:15:52.038Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275229,"event_id":5152,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.206","Protocol":"6","Application":"-","DestPort":"59609","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1515"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524306   Key:   Timestamp: 2025-12-09 02:51:52.684 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:50.796Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"ffd3ac094d35d7eb47fadbc9784a53dc3656eb785ba824f31e27cb962b13d1ff","outcome":"success","created":"2025-12-09T03:15:52.038Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275230,"event_id":5156,"process":{"thread":{"id":212},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","DestAddress":"224.0.0.251","DestPort":"0","RemoteMachineID":"S-1-0-0","SourceAddress":"172.30.4.206","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524307   Key:   Timestamp: 2025-12-09 02:51:54.252 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:52.542Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"8ef87cc2271e90dd22e590256418f5913f1641a48280fc3191bebb56abeb7f29","outcome":"success","created":"2025-12-09T03:15:53.602Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325001,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","DestAddress":"224.0.0.252","DestPort":"0","ProcessID":"4","SourceAddress":"172.30.4.205","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524308   Key:   Timestamp: 2025-12-09 02:51:54.701 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.252\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t66906\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:52.292Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"870d25250e08accc62aff130fee422a198bea2d662e6b875ec26ae07e4aaefb9","outcome":"success","created":"2025-12-09T03:15:54.055Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275231,"event_id":5156,"process":{"thread":{"id":1076},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","Protocol":"2","SourceAddress":"172.30.4.206","DestAddress":"224.0.0.252","ProcessID":"4","DestPort":"0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"66906","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524309   Key:   Timestamp: 2025-12-09 02:51:57.287 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t0\n\tDestination Address:\t224.0.0.251\n\tDestination Port:\t\t0\n\tProtocol:\t\t2\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:54.545Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"545161f1bc97c75d6e1f1c2b2f21cd228b666f634c2648968175d61da9f8df31","outcome":"success","created":"2025-12-09T03:15:56.628Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325002,"event_id":5156,"process":{"thread":{"id":1884},"pid":4},"version":1,"event_data":{"LayerRTID":"44","Application":"System","RemoteMachineID":"S-1-0-0","DestPort":"0","SourceAddress":"172.30.4.205","DestAddress":"224.0.0.251","ProcessID":"4","Protocol":"2","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65787","SourcePort":"0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524310   Key:   Timestamp: 2025-12-09 02:51:57.731 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.068Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5157,"hash":"a8ea9b6fe45b6aeffb99124497e0b441f2076fe1027bc7aa1576de270f40487b","outcome":"failure","created":"2025-12-09T03:15:57.083Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275234,"event_id":5157,"process":{"thread":{"id":212},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.111","RemoteMachineID":"S-1-0-0","Protocol":"1","DestAddress":"172.30.4.206","DestPort":"5","ProcessID":"4","Application":"System","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"67043","SourcePort":"1"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524311   Key:   Timestamp: 2025-12-09 02:51:57.731 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.068Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"d1e8e25371529a1ebc96fbecf121f2918f7e27c2d20d660648cb40278456e494","outcome":"failure","created":"2025-12-09T03:15:57.083Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275233,"event_id":5152,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"4","LayerRTID":"44","Application":"System","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.111","DestPort":"5","Protocol":"1","Direction":"%%14592","LayerName":"%%14610","FilterRTID":"67043","SourcePort":"1"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524312   Key:   Timestamp: 2025-12-09 02:51:57.731 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.25\n\tSource Port:\t\t137\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t137\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:55.665Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"a890b098472f25c8efbdc15f9e77821de5e6a2238adf28111d62b1997f4b3948","outcome":"failure","created":"2025-12-09T03:15:57.083Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225275232,"event_id":5152,"process":{"thread":{"id":1076},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.4.25","DestAddress":"172.30.4.206","DestPort":"137","Application":"-","Protocol":"17","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"137"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524313   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.726Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325008,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524314   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.710Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325004,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524315   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.739Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.656Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325011,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524316   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.709Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325003,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524317   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.739Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325010,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524318   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.713Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325005,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524319   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.740Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.656Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325012,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524320   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.728Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325009,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524321   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:56.726Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:15:58.655Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325007,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524322   Key:   Timestamp: 2025-12-09 02:51:59.307 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1001\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0xDFCF35A\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:15:57.369Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logoff","kind":"event","code":4634,"hash":"dcb88e02f8739b0a8cbaadd4c256f6ee4bb3cfd5ee8eb382dcdabb322fbcfe25","outcome":"success","created":"2025-12-09T03:15:58.656Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174325014,"event_id":4634,"process":{"thread":{"id":3360},"pid":692},"event_data":{"LogonType":"3","TargetDomainName":"TDARPLATFORM","TargetLogonId":"0xdfcf35a","TargetUserName":"W2016AD-N25$","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1001"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Logoff"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524323   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{6710AB75-D572-4B8F-9676-BBB249EAB68A}\n\tName:\t\tDFS Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828917\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"4e729865fc8a967fe4ee996f35e2e93d65fbd190a5c096885af1b419ab4f7547","outcome":"success","created":"2025-12-09T03:27:20.789Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326684,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{6710AB75-D572-4B8F-9676-BBB249EAB68A}","LayerId":"46","Weight":"10376540038224674816","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Action":"%%16390","FilterId":"828917","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","LayerName":"ALE Receive/Accept v6 Layer","ProviderName":"Microsoft Corporation","ChangeType":"%%16385","CalloutName":"-","FilterName":"DFS Replication (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524324   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{4B6270BE-DC54-4495-A8D9-1A6A16A472DE}\n\tName:\t\tFile Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828924\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"fffc903ee6d1fab16ab3bfb881ccfd6101cafeee91f1f5e05014988760aba9a7","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326691,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{4B6270BE-DC54-4495-A8D9-1A6A16A472DE}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"42","Weight":"10376293541528731616","Action":"%%16390","FilterId":"828924","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","FilterType":"%%16388","ProviderName":"Microsoft Corporation","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerName":"ALE Listen v6 Layer","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","UserSid":"S-1-5-19","ChangeType":"%%16385","CalloutName":"-","FilterName":"File Replication (RPC-EPMAP)"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524325   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{5E823047-F84B-45DD-ACB4-633167076783}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828931\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.029Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"fe9d6841e314851d98b3f1e2f7da3d66f93fe289f28087a9ecf7decbbb68de10","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326698,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","FilterKey":"{5E823047-F84B-45DD-ACB4-633167076783}","Weight":"10376540038224674816","LayerId":"46","Action":"%%16390","FilterId":"828931","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","LayerName":"ALE Receive/Accept v6 Layer","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft Corporation","UserSid":"S-1-5-19","CalloutName":"-","ChangeType":"%%16385","FilterName":"Active Directory Domain Controller (RPC-EPMAP)"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524326   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{B2A1B7BB-9734-4BC0-9036-092F01ABE4E6}\n\tName:\t\tFile Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828918\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"500b7429de4c9fe7eb639d38c455eada03eebacfa65bd84dbc184bfd5bc34086","outcome":"success","created":"2025-12-09T03:27:20.789Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326685,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{B2A1B7BB-9734-4BC0-9036-092F01ABE4E6}","LayerId":"40","Weight":"10376293542535364576","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Action":"%%16390","FilterId":"828918","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","FilterType":"%%16388","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","LayerName":"ALE Listen v4 Layer","UserSid":"S-1-5-19","ProviderName":"Microsoft Corporation","ChangeType":"%%16385","CalloutName":"-","FilterName":"File Replication (RPC-EPMAP)"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524327   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{4B4BBDA6-1BEC-4AEF-B320-4A1E5D539CC2}\n\tName:\t\tFile Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828925\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"699918f6d44d130703294fe76e9e00a853c9138c1b6d4c197516a2559cc217cc","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326692,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"46","FilterKey":"{4B4BBDA6-1BEC-4AEF-B320-4A1E5D539CC2}","Weight":"10376540038224674816","Action":"%%16390","FilterId":"828925","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","ProviderName":"Microsoft Corporation","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","LayerName":"ALE Receive/Accept v6 Layer","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","ChangeType":"%%16385","CalloutName":"-","FilterName":"File Replication (RPC-EPMAP)"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524328   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{E4251E14-96FB-4DBB-ADCD-5B706039B025}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828932\n\nLayer Information:\n\tID:\t\t{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}\n\tName:\t\tALE Listen v6 Layer\n\tRun-Time ID:\t42\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293541528731616\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.029Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"a9851f542b9af8a1b6eabf8101dc7a387c29f6a12cb8342a915c130e53455608","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326699,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{E4251E14-96FB-4DBB-ADCD-5B706039B025}","LayerId":"42","Weight":"10376293541528731616","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Action":"%%16390","FilterId":"828932","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251","FilterType":"%%16388","LayerKey":"{7AC9DE24-17DD-4814-B4BD-A9FBC95A321B}","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","LayerName":"ALE Listen v6 Layer","ProviderName":"Microsoft Corporation","CalloutName":"-","ChangeType":"%%16385","FilterName":"Active Directory Domain Controller (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524329   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{992ACC3E-B140-44BB-BDB3-476E2CE89989}\n\tName:\t\tFile Replication (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828919\n\nLayer Information:\n\tID:\t\t{E1CD9FE7-F4B5-4273-96C0-592E487B8650}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10378405428420673536\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"06c2817772e554d024ff4479325dee3914595b5ddfb11d28a89497280c92aab4","outcome":"success","created":"2025-12-09T03:27:20.789Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326686,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"44","Weight":"10378405428420673536","FilterKey":"{992ACC3E-B140-44BB-BDB3-476E2CE89989}","Action":"%%16390","FilterId":"828919","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","LayerName":"ALE Receive/Accept v4 Layer","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","ProviderName":"Microsoft Corporation","LayerKey":"{E1CD9FE7-F4B5-4273-96C0-592E487B8650}","CalloutName":"-","ChangeType":"%%16385","FilterName":"File Replication (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524330   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{3CD35D3C-E5DA-416B-B0C9-948F4D37072C}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828926\n\nLayer Information:\n\tID:\t\t{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}\n\tName:\t\tALE Listen v4 Layer\n\tRun-Time ID:\t40\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376293542535364576\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"a5a37ff55e6c8fe10781876f7a6f980256731ca9413a77560d456766fab68641","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326693,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{3CD35D3C-E5DA-416B-B0C9-948F4D37072C}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","LayerId":"40","Weight":"10376293542535364576","Action":"%%16390","FilterId":"828926","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0087","FilterType":"%%16388","LayerKey":"{88BB5DAD-76D7-4227-9C71-DF0A3ED7BE7E}","ProviderName":"Microsoft Corporation","LayerName":"ALE Listen v4 Layer","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","ChangeType":"%%16385","CalloutName":"-","FilterName":"Active Directory Domain Controller (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524331   Key:   Timestamp: 2025-12-09 03:03:21.426 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1412\n\nProvider Information:\n\tID:\t\t{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{66F1A846-2547-4085-A351-438FBD1F98EA}\n\tName:\t\tActive Directory Domain Controller (RPC-EPMAP)\n\tType:\t\tNot persistent\n\tRun-Time ID:\t828933\n\nLayer Information:\n\tID:\t\t{A3B42C97-9F04-4672-B87E-CEE9C483257F}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t10376540038224674816\t\n\tConditions:\t\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tFilter Action:\tPermit","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:19.029Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Other Policy Change Events","kind":"event","code":5447,"hash":"a98789fe27f292e9a7fcba448349e37867e069d4063427f67806dab04bdc1bc6","outcome":"success","created":"2025-12-09T03:27:20.790Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326700,"event_id":5447,"process":{"thread":{"id":3360},"pid":692},"event_data":{"ProcessId":"1412","UserName":"NT AUTHORITY\\LOCAL SERVICE","FilterKey":"{66F1A846-2547-4085-A351-438FBD1F98EA}","ProviderKey":"{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}","Weight":"10376540038224674816","LayerId":"46","Action":"%%16390","FilterId":"828933","Conditions":"\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2.\\.\n    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\\.\n    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.\n    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \\.s.v.c.h.o.s.t.\n    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...\n\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:SYG:SYD:(A;;CCRC;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)\n\n\n\tCondition ID:\t{0c1ba1af-5765-453f-af22-a8f791ac775b}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0251\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06","FilterType":"%%16388","ProviderName":"Microsoft Corporation","LayerKey":"{A3B42C97-9F04-4672-B87E-CEE9C483257F}","LayerName":"ALE Receive/Accept v6 Layer","CalloutKey":"{00000000-0000-0000-0000-000000000000}","UserSid":"S-1-5-19","CalloutName":"-","ChangeType":"%%16385","FilterName":"Active Directory Domain Controller (RPC-EPMAP)"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","activity_id":"{49374407-4D0A-0003-0E44-37490A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Other Policy Change Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524332   Key:   Timestamp: 2025-12-09 03:03:25.094 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59666\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:22.918Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"3e2896697770024a39e93de37d3abecf6dc3b197c3158acacb5ac8d95340fc4e","outcome":"success","created":"2025-12-09T03:27:24.450Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276404,"event_id":5158,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"2420","LayerRTID":"36","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"59666"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524333   Key:   Timestamp: 2025-12-09 03:03:25.094 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59666\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:23.521Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"7be8afe340baa773cffb6a7eb0c19eb1ec61669043a0851caf7a968445f41d77","outcome":"failure","created":"2025-12-09T03:27:24.450Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276406,"event_id":5152,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","Protocol":"6","DestAddress":"172.30.4.206","DestPort":"59666","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1515"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524334   Key:   Timestamp: 2025-12-09 03:03:25.094 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59666\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1515\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:22.918Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"9a44835689c3807f7cb6cbb9fc601ecca9f24ab6f54e3ca9cde57194a7d2c738","outcome":"success","created":"2025-12-09T03:27:24.450Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276405,"event_id":5156,"process":{"thread":{"id":4360},"pid":4},"version":1,"event_data":{"LayerRTID":"48","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","DestPort":"1515","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","DestAddress":"172.30.2.163","ProcessID":"2420","Protocol":"6","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59666"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524335   Key:   Timestamp: 2025-12-09 03:03:25.456 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61611\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:23.524Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"7a5bd49d5ba1482359cba30c7c7287682d7679f158b94a0c299f5827ed1f128b","outcome":"failure","created":"2025-12-09T03:27:24.821Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174326701,"event_id":5152,"process":{"thread":{"id":3152},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.205","Protocol":"6","DestPort":"61611","Application":"-","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524336   Key:   Timestamp: 2025-12-09 03:03:29.125 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.557Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.490Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276407,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524337   Key:   Timestamp: 2025-12-09 03:03:29.126 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.558Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.490Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276408,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524338   Key:   Timestamp: 2025-12-09 03:03:29.127 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.583Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276416,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524339   Key:   Timestamp: 2025-12-09 03:03:29.127 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.585Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276417,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524340   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.560Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.490Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276409,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524341   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.571Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276410,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524342   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.571Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276411,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524343   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.571Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276412,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524344   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.573Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276413,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524345   Key:   Timestamp: 2025-12-09 03:03:29.128 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:27:26.583Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:27:28.491Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276414,"event_id":4703,"process":{"thread":{"id":4360},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524346   Key:   Timestamp: 2025-12-09 03:06:33.572 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59684\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:31.084Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"efdbbae1d28ab045c1a66fba3ac05c46faae9906b13760b9245ea57860f2632b","outcome":"failure","created":"2025-12-09T03:30:32.938Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276784,"event_id":5152,"process":{"thread":{"id":1328},"pid":4},"event_data":{"ProcessId":"0","LayerRTID":"28","Application":"-","SourceAddress":"172.30.2.163","Protocol":"6","DestPort":"59684","DestAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1515"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524347   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t1152\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t64587\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.146Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"ea43365ba7df44886e86db9892491ef84138340d4e7c30c8808866163d615864","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276786,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"ProcessId":"1152","LayerRTID":"38","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","SourceAddress":"::","Protocol":"17","FilterRTID":"0","SourcePort":"64587"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524348   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2412\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t64587\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.147Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"43bd86f681aa5de0f2354113c81d386868bd03a54ae3b7ce41184fba17829cf6","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276788,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"46","SourceAddress":"::1","DestAddress":"::1","DestPort":"53","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","ProcessID":"2412","Protocol":"17","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"64587"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524349   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t1152\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t64587\n\tDestination Address:\t::1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.147Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"59102d204c75c407bd52f129c50bd828fed7400a13e5af6f2d682a2fe230dd2c","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276787,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"50","SourceAddress":"::1","RemoteMachineID":"S-1-0-0","DestPort":"53","DestAddress":"::1","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","ProcessID":"1152","Protocol":"17","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"64587"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524350   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2412\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59838\n\tDestination Address:\t172.30.4.254\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.147Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"0eb86493790045a031ec3ecdbfbe6751f2305a2b7e7c3197693a1fe279cac422","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276789,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","RemoteMachineID":"S-1-0-0","DestPort":"53","DestAddress":"172.30.4.254","SourceAddress":"172.30.4.206","Protocol":"17","ProcessID":"2412","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59838"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524351   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2312\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59685\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.153Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"0f4f7522f2065d125eb3d99ce16cdabadded668511a3cfcf7d9faf7bc5186910","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276790,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2312","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"59685"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524352   Key:   Timestamp: 2025-12-09 03:06:36.602 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2312\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59685\n\tDestination Address:\t20.44.10.122\n\tDestination Port:\t\t443\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.154Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"3d51a0e2e0ec71343391f9ccc859872896bb8c9de7ce4f62e00461ddca30a104","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276791,"event_id":5156,"process":{"thread":{"id":1328},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","DestAddress":"20.44.10.122","SourceAddress":"172.30.4.206","RemoteMachineID":"S-1-0-0","Protocol":"6","ProcessID":"2312","DestPort":"443","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59685"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524353   Key:   Timestamp: 2025-12-09 03:06:36.603 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t1152\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t64587\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:34.146Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"163ddd6ed121d6d50cb7212a2d7761be795e5cf3c51aa34199e23cfd3cc294d3","outcome":"success","created":"2025-12-09T03:30:35.969Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276785,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"1152","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","SourceAddress":"::","Protocol":"17","FilterRTID":"0","SourcePort":"64587"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524354   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.077Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327026,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524355   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.055Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327020,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524356   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.091Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327027,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524357   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.056Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327021,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524358   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.074Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327024,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524359   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.075Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327025,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524360   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.091Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327028,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524361   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.074Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327023,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524362   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.092Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327030,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x168","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524363   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.060Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327022,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524364   Key:   Timestamp: 2025-12-09 03:06:39.078 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:37.091Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:30:38.448Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327029,"event_id":4703,"process":{"thread":{"id":3156},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524365   Key:   Timestamp: 2025-12-09 03:06:41.103 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t61633\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67157\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:38.701Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"d1ab7c50148cd675bcafc668a92669af24eaed2fd0a48ebbdefec94eb45b75da","outcome":"success","created":"2025-12-09T03:30:40.464Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327032,"event_id":5156,"process":{"thread":{"id":3764},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","DestAddress":"172.30.2.163","DestPort":"1514","Protocol":"6","RemoteMachineID":"S-1-0-0","ProcessID":"2392","SourceAddress":"172.30.4.205","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67157","SourcePort":"61633"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524366   Key:   Timestamp: 2025-12-09 03:06:41.103 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2392\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t61633\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:38.700Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"2e88ece51d589d2432470d101fa355cbc010edcfc36ae9e4221fd8a3b28b4a11","outcome":"success","created":"2025-12-09T03:30:40.464Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327031,"event_id":5158,"process":{"thread":{"id":3764},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2392","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"61633"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524367   Key:   Timestamp: 2025-12-09 03:06:44.119 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61633\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:41.697Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1f5e9be19e912337ee8f33d666bcbf5ab922023ac5bbbb8c1b547675ab2b4787","outcome":"failure","created":"2025-12-09T03:30:43.486Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327033,"event_id":5152,"process":{"thread":{"id":5348},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.205","Protocol":"6","DestPort":"61633","SourceAddress":"172.30.2.163","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524368   Key:   Timestamp: 2025-12-09 03:06:47.140 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t61633\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67142\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:44.707Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"1f5e9be19e912337ee8f33d666bcbf5ab922023ac5bbbb8c1b547675ab2b4787","outcome":"failure","created":"2025-12-09T03:30:46.504Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327034,"event_id":5152,"process":{"thread":{"id":3156},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.205","DestPort":"61633","SourceAddress":"172.30.2.163","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67142","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524369   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.642Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276798,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524370   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.625Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276792,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524371   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.657Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276799,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524372   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.626Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276793,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524373   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.657Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276800,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524374   Key:   Timestamp: 2025-12-09 03:06:48.704 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.629Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276794,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524375   Key:   Timestamp: 2025-12-09 03:06:48.705 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.640Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276795,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessId":"0x11c","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524376   Key:   Timestamp: 2025-12-09 03:06:48.705 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x11c\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:30:46.657Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"e770a27583b7f245cff6759ed7690348fdc7636bb468382cd14998ab7a97e611","outcome":"success","created":"2025-12-09T03:30:48.069Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225276801,"event_id":4703,"process":{"thread":{"id":212},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","ProcessId":"0x11c","TargetUserName":"W2016AD-N25$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"W2016AD-N25$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524377   Key:   Timestamp: 2025-12-09 03:11:50.356 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t3696\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59712\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:48.015Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"e6e0af6596d2f5a14f907b17b2533c7716a9688976a1ba19480ae5268914b123","outcome":"success","created":"2025-12-09T03:35:49.728Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277415,"event_id":5158,"process":{"thread":{"id":1328},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"3696","LayerName":"%%14608","SourceAddress":"::","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","Protocol":"6","FilterRTID":"0","SourcePort":"59712"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524378   Key:   Timestamp: 2025-12-09 03:11:50.356 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1104\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0xEF626CA\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{BEE7F115-DF2F-432F-AD94-180C2C90F693}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61665\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:49.026Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Logon","kind":"event","code":4624,"hash":"faf424ccca9797bb802d03d96db3572f7b52e998c8736dc0f424fbb1947b2640","outcome":"success","created":"2025-12-09T03:35:49.728Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277423,"event_id":4624,"process":{"thread":{"id":2092},"pid":676},"version":2,"event_data":{"VirtualAccount":"%%1843","TargetUserName":"WIN-MDLQ2GQ94V9$","LogonProcessName":"Kerberos","SubjectDomainName":"-","IpAddress":"fe80::6c1c:1afd:b16:ecb9","SubjectUserName":"-","TargetOutboundUserName":"-","LogonGuid":"{BEE7F115-DF2F-432F-AD94-180C2C90F693}","ImpersonationLevel":"%%1833","TargetLogonId":"0xef626ca","SubjectLogonId":"0x0","IpPort":"61665","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1104","TargetOutboundDomainName":"-","ProcessId":"0x0","SubjectUserSid":"S-1-0-0","ProcessName":"-","LmPackageName":"-","KeyLength":"0","TargetLinkedLogonId":"0x0","LogonType":"3","TargetDomainName":"TDARPLATFORM.CSOC","AuthenticationPackageName":"Kerberos","TransmittedServices":"-","RestrictedAdminMode":"-","WorkstationName":"-","ElevatedToken":"%%1842"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","activity_id":"{A040D0FF-4D0A-0000-14D1-40A00A4DDC01}","keywords":["Audit Success"],"opcode":"Info","task":"Logon"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524379   Key:   Timestamp: 2025-12-09 03:11:50.866 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t61665\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:49.027Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"5fdb0e1d7a50c77fa4811bb56a40dd7a89852624cef53a559f41ded9507b162e","outcome":"success","created":"2025-12-09T03:35:50.238Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327691,"event_id":5158,"process":{"thread":{"id":6060},"pid":4},"event_data":{"LayerRTID":"38","ProcessId":"2480","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","SourceAddress":"::","Protocol":"6","FilterRTID":"0","SourcePort":"61665"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524380   Key:   Timestamp: 2025-12-09 03:11:50.866 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2480\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t61665\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t53011\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67828\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:49.028Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"741328a3f38353c6678a7c75055cc1d46c2dbdfd8324f6390a939df3ab86b7cf","outcome":"success","created":"2025-12-09T03:35:50.238Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327692,"event_id":5156,"process":{"thread":{"id":6060},"pid":4},"version":1,"event_data":{"LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","RemoteMachineID":"S-1-0-0","DestAddress":"fe80::cd46:3442:b9b4:26f4","Protocol":"6","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"2480","DestPort":"53011","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67828","SourcePort":"61665"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524381   Key:   Timestamp: 2025-12-09 03:11:52.371 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t59713\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:50.451Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5156,"hash":"860223966a753d57576830d4dd4e594d02ce67fae72dc8226934e8778eb80d84","outcome":"success","created":"2025-12-09T03:35:51.743Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277426,"event_id":5156,"process":{"thread":{"id":3548},"pid":4},"version":1,"event_data":{"LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"172.30.4.206","DestPort":"1514","Protocol":"6","DestAddress":"172.30.2.163","ProcessID":"2420","RemoteMachineID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","RemoteUserID":"S-1-0-0","FilterRTID":"67057","SourcePort":"59713"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524382   Key:   Timestamp: 2025-12-09 03:11:52.371 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2420\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59713\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:50.451Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5158,"hash":"06d9b7b4b3647000e86dfc2a9cf5ab53df0bfe7bc4c255b1b908a25c57a3959c","outcome":"success","created":"2025-12-09T03:35:51.743Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277425,"event_id":5158,"process":{"thread":{"id":3548},"pid":4},"event_data":{"LayerRTID":"36","ProcessId":"2420","LayerName":"%%14608","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","SourceAddress":"0.0.0.0","Protocol":"6","FilterRTID":"0","SourcePort":"59713"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524383   Key:   Timestamp: 2025-12-09 03:11:55.372 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59713\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:53.448Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"ca872250d006cfc765bce4f95ea9b4e92dde99863eefacee9798576a6ef7279d","outcome":"failure","created":"2025-12-09T03:35:54.747Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277427,"event_id":5152,"process":{"thread":{"id":4832},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","Application":"-","DestAddress":"172.30.4.206","DestPort":"59713","SourceAddress":"172.30.2.163","Protocol":"6","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524384   Key:   Timestamp: 2025-12-09 03:11:58.415 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:56.151Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"d1e8e25371529a1ebc96fbecf121f2918f7e27c2d20d660648cb40278456e494","outcome":"failure","created":"2025-12-09T03:35:57.775Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277428,"event_id":5152,"process":{"thread":{"id":1292},"pid":4},"event_data":{"LayerRTID":"44","ProcessId":"4","SourceAddress":"172.30.4.111","Application":"System","DestPort":"5","Protocol":"1","DestAddress":"172.30.4.206","Direction":"%%14592","LayerName":"%%14610","FilterRTID":"67043","SourcePort":"1"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524385   Key:   Timestamp: 2025-12-09 03:11:58.415 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.111\n\tSource Port:\t\t1\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t5\n\tProtocol:\t\t1\n\nFilter Information:\n\tFilter Run-Time ID:\t67043\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:56.151Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Connection","kind":"event","code":5157,"hash":"a8ea9b6fe45b6aeffb99124497e0b441f2076fe1027bc7aa1576de270f40487b","outcome":"failure","created":"2025-12-09T03:35:57.775Z"},"event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"architecture":"x86_64","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277429,"event_id":5157,"process":{"thread":{"id":1292},"pid":4},"version":1,"event_data":{"LayerRTID":"44","SourceAddress":"172.30.4.111","DestAddress":"172.30.4.206","DestPort":"5","Protocol":"1","Application":"System","ProcessID":"4","RemoteMachineID":"S-1-0-0","Direction":"%%14592","LayerName":"%%14610","RemoteUserID":"S-1-0-0","FilterRTID":"67043","SourcePort":"1"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Connection"},"agent":{"name":"w2016ad-n25","ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524386   Key:   Timestamp: 2025-12-09 03:11:58.415 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t59713\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:56.449Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Filtering Platform Packet Drop","kind":"event","code":5152,"hash":"ca872250d006cfc765bce4f95ea9b4e92dde99863eefacee9798576a6ef7279d","outcome":"failure","created":"2025-12-09T03:35:57.775Z"},"event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","architecture":"x86_64","ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:2851:782c:c01:960:5498:fa31","fe80::c01:960:5498:fa31"],"name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","family":"windows","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":225277430,"event_id":5152,"process":{"thread":{"id":1292},"pid":4},"event_data":{"LayerRTID":"28","ProcessId":"0","SourceAddress":"172.30.2.163","DestAddress":"172.30.4.206","DestPort":"59713","Protocol":"6","Application":"-","Direction":"%%14592","LayerName":"%%14601","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"w2016ad-n25.tdarplatform.csoc","keywords":["Audit Failure"],"opcode":"Info","task":"Filtering Platform Packet Drop"},"agent":{"ephemeral_id":"1530b4ef-9f46-47ac-878f-b9641a8c1f13","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"}}
Offset: 524387   Key:   Timestamp: 2025-12-09 03:11:58.944 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:57.227Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:35:58.313Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"architecture":"x86_64","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"}},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327700,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524388   Key:   Timestamp: 2025-12-09 03:11:58.944 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:57.227Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:35:58.313Z"},"event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","architecture":"x86_64","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327701,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessName":"C:\\Windows\\System32\\svchost.exe","ProcessId":"0x168","SubjectUserSid":"S-1-5-18","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}
Offset: 524389   Key:   Timestamp: 2025-12-09 03:11:58.944 Headers: empty
  
{"tags":["beats_input_codec_plain_applied"],"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x168\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","type":"winlogbeat","@version":"1","ecs":{"version":"1.5.0"},"@timestamp":"2025-12-09T03:35:57.194Z","event":{"provider":"Microsoft-Windows-Security-Auditing","action":"Token Right Adjusted Events","kind":"event","code":4703,"hash":"9f10e46b504715c3bde6597262aff1c5993c26c344a6170f7f587a0d665def84","outcome":"success","created":"2025-12-09T03:35:58.313Z"},"event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","architecture":"x86_64","ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:2851:782c:8fa:3638:53e1:fb32","fe80::8fa:3638:53e1:fb32"],"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","family":"windows","kernel":"10.0.14393.5717 (rs1_release.230203-1742)"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"]},"log":{"level":"information"},"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","record_id":174327693,"event_id":4703,"process":{"thread":{"id":1884},"pid":4},"event_data":{"ProcessId":"0x168","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetDomainName":"TDARPLATFORM","SubjectDomainName":"TDARPLATFORM","SubjectUserName":"WIN-MDLQ2GQ94V9$","DisabledPrivilegeList":"-","TargetLogonId":"0x3e7","SubjectLogonId":"0x3e7","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","TargetUserSid":"S-1-0-0"},"api":"wineventlog","channel":"Security","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","keywords":["Audit Success"],"opcode":"Info","task":"Token Right Adjusted Events"},"agent":{"ephemeral_id":"49ee14d1-7c86-449b-9321-e909c76b3d64","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"}}