Azure: Microsoft ATA Console/Dashboard does not populate any events

[Mirabis]

• Operating System Version: Windows Server 2016
• Deploying via (VirtualBox/VMWare/AWS/Azure/ESXi): Terraform > Azure
• Vagrant Version (if applicable): N/A, Azure latest master branch

Please verify that you are building from an updated Master branch before filing an issue. = DONE

Description of the issue:

Microsoft ATA Logs stay empty. I've deployed multiple times and had the following results:

• W10 host did not join domain and did not show up - redid that host and it was added
• Gateway was not setup (like other issue still open) so manually triggered the vagrant installation script, did not work after
• Manually downloaded gateway from wef on dc and installed it and confirmed service was running, unfortunately no events still

To trigger events I ran mimikatz, cobaltstrige stagers etc.... nothing. Splunk dashboard for Threat Analytics is empty but the indexes are populated if I do manual searches. Seems like something in deployment goes wrong.

Link to Gist Containing Ansible Logs:

Link: https://gist.github.com/Mirabis/274a987d2a90e4b1965145882b7ee951 ATA installation failed and I did it again after which it was successful (according to ansible) but problem remained. do note: task: "Disabling Windows Defender automatic sample submission" was added manually after 2-3 tries because the GPO did not seem to take into affect immediately. No further changes to master code was made.

ATA Logs

Microsoft.Tri.Gateway-Errors.log

2020-07-29 08:38:38.4588 6584 5   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:39:14.1581 6584 19  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:39:51.3968 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:40:22.6289 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:40:52.7599 6584 10  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:41:29.5028 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:41:59.5597 6584 6   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:42:31.8910 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:43:02.6888 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:43:32.9591 6584 19  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:44:03.2416 6584 7   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:44:33.2557 6584 6   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:45:03.2573 6584 17  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:45:33.2846 6584 21  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:46:03.2896 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:46:33.3046 6584 13  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:47:03.4258 6584 13  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:47:33.6303 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:48:03.6389 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)

Microsoft.Tri.Gateway.log

2020-07-29 08:30:15.0749 6584 5   Debug [GatewayService] Starting
2020-07-29 08:30:15.1888 6584 5   Debug [GatewayModuleManager] Uninitialized
2020-07-29 08:30:15.2044 6584 5   Info  [GatewayModuleManager] [Version=1.9.7312.32791]
2020-07-29 08:30:15.2669 6584 5   Debug [GatewayConfigurationManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [SecretManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [GatewaySecretManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [PerformanceCounterCategoryManagerProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [PerformanceCounterManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [AppDomainManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [CenterMonitoringEngineProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [ResourceManagerProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [GatewayResourceManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [EntityReceiverProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [EntitySender] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [TcpClientWrapper] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [UdpClientWrapper] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [DnsClient] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [NetbiosClient] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [RpcNtlmClient] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [NetworkNameResolver] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [DirectoryServicesClient] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [DirectoryServicesResolver] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [LocalAdministratorsResolver] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [EntityResolver] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [RadiusEventActivityTranslator] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [SyslogEventActivityTranslator] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [WefEventActivityTranslator] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [RadiusEventListener] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [SyslogEventListener] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [WindowsEventLogReader] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [NetworkActivityTranslator] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [NetEventSessionManagerProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [NetworkListener] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [CenterTelemetryManagerProxy] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [GatewayTelemetryManager] Uninitialized
2020-07-29 08:30:15.2669 6584 5   Debug [GatewayModuleManager] Initializing
2020-07-29 08:30:15.2826 6584 5   Debug [GatewayConfigurationManager] Initializing
2020-07-29 08:30:16.6187 6584 8   Info  [GatewayConfigurationManager] Configuration loaded [Configuration={
  "AppDomainManagerConfiguration": {
    "GcCollectConfiguration": {
      "Interval": "00:10:00",
      "IsEnabled": true
    },
    "UpdateExceptionStatisticsConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "CenterWebClientConfiguration": {
    "RetryDelay": "00:00:01",
    "ServiceEndpoints": [
      {
        "Address": "wef.windomain.local",
        "Port": 443
      }
    ],
    "ServiceCertificateThumbprints": [
      "D248244A4B27D0223DF865DC846ED51309686855"
    ]
  },
  "ConfigurationManagerConfiguration": {
    "UpdateConfigurationConfiguration": {
      "Interval": "00:00:15",
      "IsEnabled": true
    }
  },
  "DirectoryServicesClientConfiguration": {
    "AccountDomainName": "windomain.local",
    "AccountName": "vagrant",
    "AccountPasswordEncrypted": {
      "Password": null,
      "CertificateThumbprint": "BA138D13EBD6B47DFBAFDA52A903AEFB0502537B"
    },
    "DomainControllerConnectionCount": 10,
    "DomainControllerDnsNames": [
      "dc.windomain.local"
    ],
    "LdapConnectionSslEnabled": false,
    "LdapConnectionSendTimeout": "00:00:05",
    "LdapConnectionOperationTimeout": "00:05:00",
    "LdapSearchResultPageSize": 1000,
    "LdapHeavySearchTimeSpan": "00:00:00.2000000",
    "ConnectDisconnectedDomainControllersConfiguration": {
      "Interval": "00:05:00",
      "IsEnabled": true
    }
  },
  "DirectoryServicesResolverConfiguration": {
    "DirectoryEntityCacheConfiguration": {
      "ShardCount": 1,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 100000,
        "Policy": "MultiValue",
        "Timeout": "10675199.02:48:05.4775807"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:01:00",
        "IsEnabled": true
      }
    },
    "NegativeDirectoryEntityCacheConfiguration": {
      "ShardCount": 1,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 10000,
        "Policy": "MultiValue",
        "Timeout": "01:00:00"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:01:00",
        "IsEnabled": true
      }
    },
    "UpdateDirectoryEntityChangesBatchSizeThreshold": 10000,
    "UpdateDirectoryEntityChangesBlockBoundedCapacity": 100000,
    "UpdateDirectoryEntityChangesBlockParallelismDegree": 50,
    "UpdateDirectoryEntityChangesInitialUsnRange": 5000000,
    "UpdateForestGlobalsConfiguration": {
      "Interval": "1.00:00:00",
      "IsEnabled": true
    },
    "UpdateDirectoryEntityChangesConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": false
    },
    "UpdateDomainControllerIpAddressesConfiguration": {
      "Interval": "00:10:00",
      "IsEnabled": true
    }
  },
  "DnsClientConfiguration": {
    "InternalDnsClientTimeout": "00:00:00.2000000",
    "UpdateInternalDnsClientsConfiguration": {
      "Interval": "00:00:10",
      "IsEnabled": true
    }
  },
  "EntityResolverConfiguration": {
    "ActivityBlockConfiguration": {
      "MaxDegreeOfParallelism": 100,
      "MaxSize": 10000
    },
    "DrsrSourceComputerIpAddressToIsPromotingDomainControllerMappingConfiguration": {
      "ShardCount": 1,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 10000,
        "Policy": "SingleValue",
        "Timeout": "00:10:00"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:01:00",
        "IsEnabled": true
      }
    },
    "GetLightweightGatewayDomainControllerIdsConfiguration": {
      "Interval": "00:05:00",
      "IsEnabled": true
    },
    "SourceAccountIdToIsSmartcardRequiredRc4MappingConfiguration": {
      "ShardCount": 1,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 10000,
        "Policy": "SingleValue",
        "Timeout": "00:05:00"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:01:00",
        "IsEnabled": true
      }
    }
  },
  "EntitySenderConfiguration": {
    "EntityBatchBlockConfiguration": {
      "MaxSize": 100000
    },
    "EntityBatchMaxSize": 1000,
    "InitialSendRetryInterval": "00:00:03",
    "MaxSendRetryInterval": "00:10:00"
  },
  "EventActivityTranslatorConfiguration": {
    "DroppedEventsAccumulationQueueConfiguration": {
      "MaxSize": 10,
      "Interval": "00:01:00"
    },
    "EventMessageDataBlockConfiguration": {
      "MaxDegreeOfParallelism": 0,
      "MaxSize": 10000
    },
    "UpsertMonitoringAlertConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "GatewayResourceManagerConfiguration": {
    "RestrictCpuConfiguration": {
      "Interval": "00:00:10",
      "IsEnabled": true
    },
    "CpuRestrictionConfiguration": {
      "CpuTimePercentageAverageSampleCount": 5,
      "CpuTimeMinPercentage": 0.1,
      "FreeCpuTimePercentage": 0.15
    },
    "RestrictMemoryConfiguration": {
      "Interval": "00:00:10",
      "IsEnabled": true
    },
    "MemoryRestrictionConfiguration": {
      "FreePhysicalMemoryPercentage": 0.15,
      "WorkingSetMinPercentage": 0.1,
      "FreeCommitMemoryMaxPercentage": 0.15
    },
    "LowMemoryThresholdPercentage": 0.9,
    "LowMemoryResolutionInterval": "00:05:00",
    "RestartServiceInterval": "7.00:00:00"
  },
  "GatewaySecretManagerConfiguration": {
    "HashKeyEncrypted": {
      "EncryptedBytes": "ITWxolHqQWL/x/laKuT4VRQ1QQGn79E3sn8KzRFBWUcprk8d1+nnB/X/Tr7FfCihN1LeJ2ThkpztQRbCk/k0W18lcHnVI4y1TLrd6ceKIRoZZ7phemC3WmDj602eUSZS7uQFyDeGFZe4wKGpLPyCL2ZaxqowrDGEW1ZPn2hcbSdRMpWOqy5HRXMt/sYElMVX6+nsXww1kmDO6OlcCYDdf2ZuuZcTWxGP0i54WANGQjx7RYelyeAUrXxOoUb3JPRN3UvAqUAnwjfpxM3Em6MomNqvd0cCRomjyIoYIDurJM4gGFEpW0Cm+Y6kjf7fmCMUReTQ6Umoo18ok7W738vRSQ==",
      "CertificateThumbprint": "BA138D13EBD6B47DFBAFDA52A903AEFB0502537B"
    }
  },
  "GatewayServiceControllerConfiguration": {
    "SendGatewayServiceStatusUpdateConfiguration": {
      "Interval": "00:00:15",
      "IsEnabled": true
    }
  },
  "GatewayTelemetryManagerConfiguration": {
    "SendSystemTelemetryConfiguration": {
      "Interval": "12:00:00",
      "IsEnabled": true
    },
    "SendPerformanceCounterTelemetryConfiguration": {
      "Interval": "00:10:00",
      "IsEnabled": true
    },
    "SendExceptionStatisticsTelemetryConfiguration": {
      "Interval": "1.00:00:00",
      "IsEnabled": true
    }
  },
  "GatewayUpdaterSecretManagerConfiguration": {
    "RenewCertificateConfiguration": {
      "Interval": "1.00:00:00",
      "IsEnabled": true
    }
  },
  "GatewayUpdaterWebApplicationConfiguration": {
    "ServiceListeningIpEndpoint": {
      "Address": "127.0.0.1",
      "Port": 442
    },
    "CommunicationCookieExpiration": "00:20:00"
  },
  "GatewayUpdaterWebClientConfiguration": {
    "RetryDelay": "00:00:01",
    "ServiceEndpoints": [
      {
        "Address": "127.0.0.1",
        "Port": 442
      }
    ],
    "ServiceCertificateThumbprints": [
      "BA138D13EBD6B47DFBAFDA52A903AEFB0502537B"
    ]
  },
  "HttpClientConfiguration": {
    "BufferMaxSize": "128 MB",
    "Timeout": "00:10:00"
  },
  "LocalAdministratorsResolverConfiguration": {
    "IsEnabled": true,
    "LocalAdministratorsCacheConfiguration": {
      "ShardCount": 100,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 10000,
        "Policy": "SingleValue",
        "Timeout": "01:00:00"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "1.00:00:00",
        "IsEnabled": true
      }
    }
  },
  "MemoryStreamPoolConfiguration": {
    "BlockSize": "128 KB",
    "LargeBlockMultipleSize": "1 MB",
    "BufferMaxSize": "128 MB"
  },
  "NetbiosClientConfiguration": {
    "RetryMaxCount": 2
  },
  "NetworkActivityTranslatorConfiguration": {
    "MessageDataBlockCount": 3,
    "MessageDataBlockConfiguration": {
      "MaxDegreeOfParallelism": 1,
      "MaxSize": 10000
    },
    "NetworkActivityDataToEndpointIdentifierToNetworkActivitySessionNodeMappingConfiguration": {
      "ShardCount": 1,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 10000,
        "Policy": "SingleValue",
        "Timeout": "00:00:30"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:00:00",
        "IsEnabled": false
      }
    }
  },
  "NetworkListenerConfiguration": {
    "CaptureNetworkAdapterIds": [
      "{01DC61AC-7B90-4C77-9FFD-087DE343E545}"
    ],
    "CapturePromiscuousModeEnabled": false,
    "CapturePlaybackEnabled": false,
    "CapturePlaybackCircular": true,
    "CapturePlaybackFilePath": null,
    "CaptureBufferCount": 64,
    "CaptureBufferSize": "4 MB",
    "CaptureBufferPoolMaxSize": "160 MB",
    "CaptureBufferPoolBufferMaxSize": "4 KB",
    "CaptureMessageQueueMaxSize": "40 MB",
    "CaptureMessageQueueDropThresholdPercentage": 5,
    "ParsingFilter": null,
    "ParsingMessageMaxCount": 100000,
    "ParsingBatchProcessorTimeout": "00:00:02",
    "ParsingEndpointPartitionCount": null,
    "ParsingSessionTimeout": "00:00:30",
    "EtwEventThrottlingEnabled": true,
    "EtwEventThrottlingPauseMaxPercentThreshold": 50,
    "EtwEventThrottlingResumeMinPercentThreshold": 25,
    "EtwEventThrottlingResumeExtendedEvaluationDuration": "00:00:10",
    "LaggingEtwBufferCountAccumulationQueueConfiguration": {
      "MaxSize": 10,
      "Interval": "00:00:00"
    },
    "DroppedEventAndMessageCountAccumulationQueueConfiguration": {
      "MaxSize": 10,
      "Interval": "00:01:00"
    },
    "CheckUncapturableNetworkAdaptersConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    },
    "UpdateStatisticsConfiguration": {
      "Interval": "00:00:01",
      "IsEnabled": true
    },
    "UpsertMonitoringAlertInterval": "00:01:00"
  },
  "NetworkNameResolverConfiguration": {
    "HintPromotionMinInterval": "00:00:10",
    "GetNatIpAddressesConfiguration": {
      "Interval": "00:15:00",
      "IsEnabled": true
    },
    "IpAddressToResolutionResultMappingConfiguration": {
      "ShardCount": 100,
      "MultiLruDictionaryConfiguration": {
        "MaxSize": 20000,
        "Policy": "SingleValue",
        "Timeout": "00:00:30"
      },
      "BackgroundRemoveOldConfiguration": {
        "Interval": "00:01:00",
        "IsEnabled": true
      }
    }
  },
  "RadiusEventListenerConfiguration": {
    "UdpListenerConfiguration": {
      "IsEnabled": false,
      "Port": 1813,
      "ReceiveBufferSize": "20 MB"
    },
    "SharedSecretEncrypted": null
  },
  "RpcNtlmClientConfiguration": {
    "RetryMaxCount": 2
  },
  "SecretManagerConfiguration": {
    "CertificateThumbprint": "BA138D13EBD6B47DFBAFDA52A903AEFB0502537B"
  },
  "ServiceSystemProfileConfiguration": {
    "Id": "5f2133911a6535035c4decb2"
  },
  "SyslogEventListenerConfiguration": {
    "UdpListenerConfiguration": {
      "IsEnabled": false,
      "Port": 514,
      "ReceiveBufferSize": "20 MB"
    }
  },
  "TcpClientWrapperConfiguration": {
    "PostponeBlockConfiguration": {
      "ActionConfiguration": {
        "Interval": "00:00:00.0150000",
        "IsEnabled": true
      },
      "MaxSize": 100000,
      "Timeout": "00:00:00.5000000"
    }
  },
  "UdpClientWrapperConfiguration": {
    "PostponeBlockConfiguration": {
      "ActionConfiguration": {
        "Interval": "00:00:00.0150000",
        "IsEnabled": true
      },
      "MaxSize": 200000,
      "Timeout": "00:00:00.5000000"
    }
  },
  "WindowsEventLogClientConfiguration": {
    "IsEnabled": true
  },
  "WindowsEventLogReaderConfiguration": {
    "IsEnabled": true,
    "IsForwardedEventReaderEnabled": false,
    "IsLocalEventReaderEnabled": true,
    "UpdateWindowsEventLogReaderBookmarksConfiguration": {
      "Interval": "00:00:30",
      "IsEnabled": true
    }
  }
}]
2020-07-29 08:30:16.6343 6584 8   Debug [GatewayConfigurationManager] Initialized
2020-07-29 08:30:16.6343 6584 8   Debug [SecretManager] Initializing
2020-07-29 08:30:16.7750 6584 8   Debug [SecretManager] Initialized
2020-07-29 08:30:16.7750 6584 8   Debug [GatewaySecretManager] Initializing
2020-07-29 08:30:16.7750 6584 8   Debug [GatewaySecretManager] Initialized
2020-07-29 08:30:16.7750 6584 8   Debug [PerformanceCounterCategoryManagerProxy] Initializing
2020-07-29 08:30:16.7906 6584 8   Debug [PerformanceCounterCategoryManagerProxy] Initialized
2020-07-29 08:30:16.7906 6584 8   Debug [PerformanceCounterManager] Initializing
2020-07-29 08:30:16.7906 6584 8   Debug [PerformanceCounterManager] Initialized
2020-07-29 08:30:16.7906 6584 8   Debug [AppDomainManager] Initializing
2020-07-29 08:30:16.7906 6584 8   Debug [AppDomainManager] Initialized
2020-07-29 08:30:16.7906 6584 8   Debug [CenterMonitoringEngineProxy] Initializing
2020-07-29 08:30:16.7906 6584 8   Debug [CenterMonitoringEngineProxy] Initialized
2020-07-29 08:30:16.7906 6584 8   Debug [ResourceManagerProxy] Initializing
2020-07-29 08:30:16.7906 6584 8   Debug [ResourceManagerProxy] Initialized
2020-07-29 08:30:16.7906 6584 8   Debug [GatewayResourceManager] Initializing
2020-07-29 08:30:22.7874 6584 8   Debug [GatewayResourceManager] Initialized
2020-07-29 08:30:22.7874 6584 8   Debug [EntityReceiverProxy] Initializing
2020-07-29 08:30:22.7874 6584 8   Debug [EntityReceiverProxy] Initialized
2020-07-29 08:30:22.7874 6584 8   Debug [EntitySender] Initializing
2020-07-29 08:30:23.2260 6584 8   Debug [EntitySender] Initialized
2020-07-29 08:30:23.2260 6584 8   Debug [TcpClientWrapper] Initializing
2020-07-29 08:30:23.2416 6584 8   Debug [TcpClientWrapper] Initialized
2020-07-29 08:30:23.2416 6584 8   Debug [UdpClientWrapper] Initializing
2020-07-29 08:30:23.2416 6584 8   Debug [UdpClientWrapper] Initialized
2020-07-29 08:30:23.2416 6584 8   Debug [DnsClient] Initializing
2020-07-29 08:30:23.8229 6584 8   Debug [DnsClient] Initialized
2020-07-29 08:30:23.8229 6584 8   Debug [NetbiosClient] Initializing
2020-07-29 08:30:23.8229 6584 8   Debug [NetbiosClient] Initialized
2020-07-29 08:30:23.8229 6584 8   Debug [RpcNtlmClient] Initializing
2020-07-29 08:30:23.8229 6584 8   Debug [RpcNtlmClient] Initialized
2020-07-29 08:30:23.8229 6584 8   Debug [NetworkNameResolver] Initializing
2020-07-29 08:30:23.8385 6584 8   Debug [NetworkNameResolver] Initialized
2020-07-29 08:30:23.8385 6584 8   Debug [DirectoryServicesClient] Initializing
2020-07-29 08:30:25.6627 6584 13  Info  [DirectoryServicesClient] Connected domain controllers [
DomainControllerDnsName=dc.windomain.local, IsGlobalCatalog=True]
2020-07-29 08:30:25.6627 6584 13  Debug [DirectoryServicesClient] Initialized
2020-07-29 08:30:25.6627 6584 13  Debug [DirectoryServicesResolver] Initializing
2020-07-29 08:30:26.2101 6584 9   Debug [DirectoryServicesResolver] Initialized
2020-07-29 08:30:26.2101 6584 9   Debug [LocalAdministratorsResolver] Initializing
2020-07-29 08:30:26.2414 6584 9   Debug [LocalAdministratorsResolver] Initialized
2020-07-29 08:30:26.2414 6584 9   Debug [EntityResolver] Initializing
2020-07-29 08:30:26.2570 6584 9   Debug [EntityResolver] Initialized
2020-07-29 08:30:26.2570 6584 9   Debug [RadiusEventActivityTranslator] Initializing
2020-07-29 08:30:26.2727 6584 9   Debug [RadiusEventActivityTranslator] Initialized
2020-07-29 08:30:26.2727 6584 9   Debug [SyslogEventActivityTranslator] Initializing
2020-07-29 08:30:26.2727 6584 9   Debug [SyslogEventActivityTranslator] Initialized
2020-07-29 08:30:26.2727 6584 9   Debug [WefEventActivityTranslator] Initializing
2020-07-29 08:30:26.2727 6584 9   Debug [WefEventActivityTranslator] Initialized
2020-07-29 08:30:26.2727 6584 9   Debug [RadiusEventListener] Initializing
2020-07-29 08:30:26.2727 6584 9   Debug [RadiusEventListener] Initialized
2020-07-29 08:30:26.2727 6584 9   Debug [SyslogEventListener] Initializing
2020-07-29 08:30:26.2727 6584 9   Debug [SyslogEventListener] Initialized
2020-07-29 08:30:26.2727 6584 9   Debug [WindowsEventLogReader] Initializing
2020-07-29 08:30:26.8039 6584 13  Debug [WindowsEventLogReader] Initialized
2020-07-29 08:30:26.8039 6584 13  Debug [NetworkActivityTranslator] Initializing
2020-07-29 08:30:29.1972 6584 13  Debug [NetworkActivityTranslator] Ignoring network traffic [ignoredNetworkAdapters= ignoredMacAddresses=]
2020-07-29 08:30:29.1972 6584 13  Debug [NetworkActivityTranslator] Initialized
2020-07-29 08:30:29.1972 6584 13  Debug [NetEventSessionManagerProxy] Initializing
2020-07-29 08:30:29.1972 6584 13  Debug [NetEventSessionManagerProxy] Initialized
2020-07-29 08:30:29.1972 6584 13  Debug [NetworkListener] Initializing
2020-07-29 08:30:50.0354 6584 13  Debug [NetworkListener] Creating MDB files
2020-07-29 08:30:56.5040 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Standard_e8859df5612cfeecb9d80a0873f7410a_4_0_7587_0.mdb'
2020-07-29 08:30:57.0705 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.WSDL_3e19de4996281a2cebc5dcf64eba5e56_4_0_7587_0.mdb'
2020-07-29 08:30:57.6955 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.SOAP_03ea7644124b8e5b4858e8c8f0871886_4_0_7587_0.mdb'
2020-07-29 08:30:58.2475 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.IDL_1e8a8423ffe77cfe431fe5892f46b69d_4_0_7587_0.mdb'
2020-07-29 08:30:58.2631 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.WCF_08de3df18631e23605c90c3973f22b77_4_0_7587_0.mdb'
2020-07-29 08:30:58.2788 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.Rest_ee41ae9502083c547557cd9319044122_4_0_7587_0.mdb'
2020-07-29 08:30:58.2788 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.Block_0c60205071daa5953ffd55c7a93332ff_4_0_7587_0.mdb'
2020-07-29 08:30:58.3100 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Technologies.ASN1_eac4cce6d6501c8a6c6f3fcffd9fe9ae_4_0_7587_0.mdb'
2020-07-29 08:30:58.8425 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Dynamic.Protocol_46f7883c1f0a44ce610cd93cb6d9a3ce_4_0_7587_0.mdb'
2020-07-29 08:30:58.8581 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Diagnostics_8fa66521e9167d6081e992996066fe2a_4_0_7587_0.mdb'
2020-07-29 08:31:49.9062 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Perfmon_9226cf351fc3b66f2a9bb8dc9f9a6416_4_0_7587_0.mdb'
2020-07-29 08:31:49.9531 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SazFile_6020c543bc79642284f96d36872fc1ac_4_0_7587_0.mdb'
2020-07-29 08:31:50.5039 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\RemoteCapture_7f7ff479981dfbad67dc4eae6e73de39_4_0_7587_0.mdb'
2020-07-29 08:31:51.1312 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Etw_df9c6482001ad9af1c648d4f6eaec639_4_0_7587_0.mdb'
2020-07-29 08:31:51.7105 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\EtwEvent_7449986a1df3bffe9a15ac0b04f7b744_4_0_7587_0.mdb'
2020-07-29 08:31:51.7261 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CapFile_a704ec8c00710a3809e6bdae4393b763_4_0_7587_0.mdb'
2020-07-29 08:31:51.7261 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\XmlFile_85c8902ccea061ac68fd6c7753c6f405_4_0_7587_0.mdb'
2020-07-29 08:31:51.7417 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WPP_eb221c4bc58ac5024e35725efe95e1b7_4_0_7587_0.mdb'
2020-07-29 08:31:51.7417 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PSFile_310d4cd1d9780c96a53ca1154bc01edf_4_0_7587_0.mdb'
2020-07-29 08:31:52.3018 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DumpFile_7628b374e006daef2ae04488623a01b5_4_0_7587_0.mdb'
2020-07-29 08:31:52.3174 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Procmon_418c5592d2472fe255bc3bdc874b139f_4_0_7587_0.mdb'
2020-07-29 08:31:52.3331 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PcapFile_8ccf224106f11cafa7cd35617cef7ff6_4_0_7587_0.mdb'
2020-07-29 08:31:52.8813 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LogFile_e6247d40465cd5d1a5ba104fef118c01_4_0_7587_0.mdb'
2020-07-29 08:31:52.8813 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\EventLog_9368c1aabd7ff9f259e1fe3a08b153c1_4_0_7587_0.mdb'
2020-07-29 08:31:52.8813 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CsvFile_e417a7bb89d595dfdebcf9756843d4fb_4_0_7587_0.mdb'
2020-07-29 08:31:52.8969 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\AzureImport_dcedee74ce7dae591cab649dd02d968b_4_0_7587_0.mdb'
2020-07-29 08:31:52.8969 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\InfrastructureResources_7c75097654754987c0b113cbdd5013df_4_0_7587_0.mdb'
2020-07-29 08:31:57.0402 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Utility_8f495fadbec85dbf087bca8531b45a12_4_0_7587_0.mdb'
2020-07-29 08:32:05.3804 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IANA_d04a30eece2045e4fbe2914a5d37798a_4_0_7587_0.mdb'
2020-07-29 08:32:05.9779 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Ethernet_1881651cfff727b21eb770a9f9453e34_4_0_7587_0.mdb'
2020-07-29 08:32:07.1252 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IP1394_ec35c7db1bc51d905391627ad5d4bd96_4_0_7587_0.mdb'
2020-07-29 08:32:07.1408 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CoreNetworkingResources_e973be36a39b8f19352aeaaf16b3fe25_4_0_7587_0.mdb'
2020-07-29 08:32:07.7193 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ReassembledTCP_c34f86a7dc4fce046b8a91c499d561f1_4_0_7587_0.mdb'
2020-07-29 08:32:08.3322 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Reassembly_41478d4414235cb601f75cae6d3f62d4_4_0_7587_0.mdb'
2020-07-29 08:32:10.1253 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IPv4_e9026598843665bfedf18c575c96b401_4_0_7587_0.mdb'
2020-07-29 08:32:12.4876 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IPv6_daa42f19cd145777fabf7ac0b963b34f_4_0_7587_0.mdb'
2020-07-29 08:32:17.8231 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TCP_e2e92ed303168eba132f4d2889901c0f_4_0_7587_0.mdb'
2020-07-29 08:32:18.4254 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\UDP_4fa12d228c06fe93b66812f2d1c000fa_4_0_7587_0.mdb'
2020-07-29 08:32:20.7852 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NdisEtwProvider_c25d3e80e4f1f8a93e4875806dd42886_4_0_7587_0.mdb'
2020-07-29 08:32:35.6337 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WiFi_92c395eb14a2f2d8cbd78d832ba4d067_4_0_7587_0.mdb'
2020-07-29 08:32:36.8399 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PefNdisProvider_775d055f4982c26c0f9ea64f7c1fa8cc_4_0_7587_0.mdb'
2020-07-29 08:32:38.0369 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WiFiChannelInfo_ff913bc914072da249c66550243da92b_4_0_7587_0.mdb'
2020-07-29 08:32:38.6463 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LLC_d8d3f9800c37f1ba4aaa634b3d0ab6ad_4_0_7587_0.mdb'
2020-07-29 08:32:39.2419 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LinuxCookedMode_4adb7402ba2a8a19dddc2ca5ef96d2b2_4_0_7587_0.mdb'
2020-07-29 08:32:40.3792 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ERF_fc059de6a721976592bc02a67ad246b1_4_0_7587_0.mdb'
2020-07-29 08:32:41.5898 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Radiotap_75dc12b1828d6f12d1751121af8e8f28_4_0_7587_0.mdb'
2020-07-29 08:32:48.1297 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ERREF_0424ab69f90140a0b223d4bcd6f202ac_4_0_7587_0.mdb'
2020-07-29 08:32:48.7211 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WfpUtility_2b98b4becc0f1708583595226e7494f3_4_0_7587_0.mdb'
2020-07-29 08:32:49.8958 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WFPCapture_6e97a2e2078fc2b9fd853d1d2dc50fff_4_0_7587_0.mdb'
2020-07-29 08:32:55.2523 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ICMP_57dc2f6154d075ee80e48250323dc962_4_0_7587_0.mdb'
2020-07-29 08:32:56.4337 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GRE_017891ae3f2ae2fbb5d210f46b4bf790_4_0_7587_0.mdb'
2020-07-29 08:32:57.0196 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PPP_c35103f266be097da6faf13f14956dd8_4_0_7587_0.mdb'
2020-07-29 08:32:57.6283 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PPPoE_efe332ffe6904b2560ba4d9cf25a0b67_4_0_7587_0.mdb'
2020-07-29 08:32:58.2532 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PcapFileActors_eb1c5085186d410487b78ea1d6cb286c_4_0_7587_0.mdb'
2020-07-29 08:32:59.3941 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CombinedParser_799185d65b4b52e0e29f8d9952c63638_4_0_7587_0.mdb'
2020-07-29 08:33:03.6012 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DTYP_4199acf0eb5fb905f2a0de12c35eebb2_4_0_7587_0.mdb'
2020-07-29 08:33:08.3008 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBTNS_1f23f634cab281544dfd532c01f6433c_4_0_7587_0.mdb'
2020-07-29 08:33:09.5155 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBTSS_004d58449f5dcb6c067cdc3daab90500_4_0_7587_0.mdb'
2020-07-29 08:33:09.5311 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ABNF_892875283a4bdb8915030a4bfb11b857_4_0_7587_0.mdb'
2020-07-29 08:33:20.7571 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\HTTP_8b220c6b56e44be5d7888c6f202350e2_4_0_7587_0.mdb'
2020-07-29 08:33:20.7731 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\MicrosoftCommonResources_ce18f767b75b9c811a6e7e0170e9f01e_4_0_7587_0.mdb'
2020-07-29 08:33:27.3058 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\RPCH_9c8466a6cbd175d08e10b7a034214a63_4_0_7587_0.mdb'
2020-07-29 08:33:30.2781 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\X509_ef5ce6f94852dccc7a0591bb7e7a26a5_4_0_7587_0.mdb'
2020-07-29 08:33:31.4840 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OCSP_0af750659716e8a8043d835c5c2ed9f2_4_0_7587_0.mdb'
2020-07-29 08:33:37.4124 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TLS_d0c9d0bee7097eeab76740d42864211b_4_0_7587_0.mdb'
2020-07-29 08:33:37.4356 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SPNG_dcdb65adda9e97beb2eee5701647085e_4_0_7587_0.mdb'
2020-07-29 08:33:40.9614 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NLMP_1b919357fe00e9544a56aa364da61a49_4_0_7587_0.mdb'
2020-07-29 08:33:45.7155 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\KerberosV5_df67bd38df39aee184f2207c06aca59a_4_0_7587_0.mdb'
2020-07-29 08:33:46.9051 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GSSAPIKRB5_6754fa32d88e8595adbbb01922ecbd53_4_0_7587_0.mdb'
2020-07-29 08:33:49.9105 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DNS_ea8aeeee348c5c63fc4ee4d2570c6ac9_4_0_7587_0.mdb'
2020-07-29 08:33:51.0941 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GSSAPI_2911f93208236408d48f9d9badb8157c_4_0_7587_0.mdb'
2020-07-29 08:34:04.7007 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\MSRPCE_016bc621835345f616739d839aec44c1_4_0_7587_0.mdb'
2020-07-29 08:34:07.6733 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBF_e3852cb859be4ad5ecd54a9950fb5a28_4_0_7587_0.mdb'
2020-07-29 08:34:07.7201 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FAS_6dd8139565f6a7c5def3b6a26e16f08d_4_0_7587_0.mdb'
2020-07-29 08:34:18.9673 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMBTransport_2c1b9935a9beb1c9c8749c943a03f5c5_4_0_7587_0.mdb'
2020-07-29 08:34:19.5455 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMBOverTCP_eb7be4739f08df1b51f7172953d78792_4_0_7587_0.mdb'
2020-07-29 08:34:23.1401 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FSCC_1ce730ffdcbfdab1d0cfccb077097bda_4_0_7587_0.mdb'
2020-07-29 08:34:23.1553 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FileSharingResources_bc955ec4e751f1d7f84a3132e3c67a00_4_0_7587_0.mdb'
2020-07-29 08:35:13.6245 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMB_e9d4b475af4f8ccbb06c2f2fbe395b5a_4_0_7587_0.mdb'
2020-07-29 08:35:14.7811 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PCCRC_07727941628446634e371d36f98cd1c3_4_0_7587_0.mdb'
2020-07-29 08:35:38.5280 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMB2_61a745a9a6f49f7a967f8d7de3cb1e43_4_0_7587_0.mdb'
2020-07-29 08:35:39.1455 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WindowsReference_12d1425bd05d5c141c97a31480a1940f_4_0_7587_0.mdb'
2020-07-29 08:35:39.7127 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Digest_7520f612cc12205df045ecbb4a9d7101_4_0_7587_0.mdb'
2020-07-29 08:35:40.3426 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SASL_9fcce4f88425ff1b75e88161cc4c7880_4_0_7587_0.mdb'
2020-07-29 08:35:44.4679 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LDAPDecodingHelper_199bfaed740a57a1d76220bbe45b1b9c_4_0_7587_0.mdb'
2020-07-29 08:35:48.6419 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LDAP_8d4d59778ee7fb2e599a68b44060bcd7_4_0_7587_0.mdb'
2020-07-29 08:35:49.2200 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CLDAP_23fd6f2c85a592e9121bd3f7c21c6390_4_0_7587_0.mdb'
2020-07-29 08:36:02.9073 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DCOM_1946afb16adde166d22f6beb42251422_4_0_7587_0.mdb'
2020-07-29 08:36:04.6712 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OAUT_47c26755210cbd1290a712cd2547fdf2_4_0_7587_0.mdb'
2020-07-29 08:36:24.2784 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SRVS_6c3e0de06ce6dd35c27e9dff4ba781a0_4_0_7587_0.mdb'
2020-07-29 08:36:40.2909 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DRSR_dca30d34047024780637b88c1bdcd453_4_0_7587_0.mdb'
2020-07-29 08:36:40.3065 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IdentityAndSecurityResources_94ba40c1eacb299f64c96a9f331023db_4_0_7587_0.mdb'
2020-07-29 08:36:59.3197 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LSA_0d332d97fd1f4dc0d7851ce5883dfce4_4_0_7587_0.mdb'
2020-07-29 08:37:19.4910 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SAMR_5cb1e57e7b755c9d5f66a05baca36a49_4_0_7587_0.mdb'
2020-07-29 08:37:41.4657 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SCMR_aed4e5b953b8ce0ee3fa75efd9780356_4_0_7587_0.mdb'
2020-07-29 08:37:52.1766 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TSCH_2d68ca7aeb99b932d0830751592fd3c2_4_0_7587_0.mdb'
2020-07-29 08:37:52.7174 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OthersResources_64bdf6c19535ab1a21080983f82e449e_4_0_7587_0.mdb'
2020-07-29 08:38:15.3242 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WMI_2f62b36a315fb638e19e80a4b9c17e8c_4_0_7587_0.mdb'
2020-07-29 08:38:20.0758 6584 11  Debug [NetworkListener] Module cache saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\EPM_032874d04ce88eb14d34d28fa7a6f571_4_0_7587_0.mdb'
2020-07-29 08:38:24.8070 6584 13  Debug [NetworkListener] Created MDB files
2020-07-29 08:38:24.8382 6584 13  Debug [NetworkListener] Initialized
2020-07-29 08:38:24.8382 6584 13  Debug [CenterTelemetryManagerProxy] Initializing
2020-07-29 08:38:24.8382 6584 13  Debug [CenterTelemetryManagerProxy] Initialized
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayTelemetryManager] Initializing
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayTelemetryManager] Initialized
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayModuleManager] Initialized
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayModuleManager] Starting
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayConfigurationManager] Starting
2020-07-29 08:38:24.8382 6584 13  Debug [GatewayConfigurationManager] Started
2020-07-29 08:38:24.8382 6584 13  Debug [SecretManager] Starting
2020-07-29 08:38:24.8382 6584 13  Debug [SecretManager] Started
2020-07-29 08:38:24.8382 6584 13  Debug [GatewaySecretManager] Starting
2020-07-29 08:38:24.8382 6584 13  Debug [GatewaySecretManager] Started
2020-07-29 08:38:24.8382 6584 13  Debug [PerformanceCounterCategoryManagerProxy] Starting
2020-07-29 08:38:24.8382 6584 13  Debug [PerformanceCounterCategoryManagerProxy] Started
2020-07-29 08:38:24.8382 6584 13  Debug [PerformanceCounterManager] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [PerformanceCounterManager] Started
2020-07-29 08:38:28.0223 6584 13  Debug [AppDomainManager] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [AppDomainManager] Started
2020-07-29 08:38:28.0223 6584 13  Debug [CenterMonitoringEngineProxy] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [CenterMonitoringEngineProxy] Started
2020-07-29 08:38:28.0223 6584 13  Debug [ResourceManagerProxy] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [ResourceManagerProxy] Started
2020-07-29 08:38:28.0223 6584 13  Debug [GatewayResourceManager] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [GatewayResourceManager] Started
2020-07-29 08:38:28.0223 6584 13  Debug [EntityReceiverProxy] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [EntityReceiverProxy] Started
2020-07-29 08:38:28.0223 6584 13  Debug [EntitySender] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [EntitySender] Started
2020-07-29 08:38:28.0223 6584 13  Debug [TcpClientWrapper] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [TcpClientWrapper] Started
2020-07-29 08:38:28.0223 6584 13  Debug [UdpClientWrapper] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [UdpClientWrapper] Started
2020-07-29 08:38:28.0223 6584 13  Debug [DnsClient] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [DnsClient] Started
2020-07-29 08:38:28.0223 6584 13  Debug [NetbiosClient] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [NetbiosClient] Started
2020-07-29 08:38:28.0223 6584 13  Debug [RpcNtlmClient] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [RpcNtlmClient] Started
2020-07-29 08:38:28.0223 6584 13  Debug [NetworkNameResolver] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [NetworkNameResolver] Started
2020-07-29 08:38:28.0223 6584 13  Debug [DirectoryServicesClient] Starting
2020-07-29 08:38:28.0223 6584 13  Debug [DirectoryServicesClient] Started
2020-07-29 08:38:28.0223 6584 13  Debug [DirectoryServicesResolver] Starting
2020-07-29 08:38:28.1004 6584 14  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:38:28.3817 6584 15  Debug [DirectoryServicesResolver] Started
2020-07-29 08:38:28.3817 6584 15  Debug [LocalAdministratorsResolver] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [LocalAdministratorsResolver] Started
2020-07-29 08:38:28.3817 6584 15  Debug [EntityResolver] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [EntityResolver] Started
2020-07-29 08:38:28.3817 6584 15  Debug [RadiusEventActivityTranslator] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [RadiusEventActivityTranslator] Started
2020-07-29 08:38:28.3817 6584 15  Debug [SyslogEventActivityTranslator] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [SyslogEventActivityTranslator] Started
2020-07-29 08:38:28.3817 6584 15  Debug [WefEventActivityTranslator] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [WefEventActivityTranslator] Started
2020-07-29 08:38:28.3817 6584 15  Debug [RadiusEventListener] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [RadiusEventListener] Started
2020-07-29 08:38:28.3817 6584 15  Debug [SyslogEventListener] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [SyslogEventListener] Started
2020-07-29 08:38:28.3817 6584 15  Debug [WindowsEventLogReader] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [WindowsEventLogReader] Started
2020-07-29 08:38:28.3817 6584 15  Debug [NetworkActivityTranslator] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [NetworkActivityTranslator] Started
2020-07-29 08:38:28.3817 6584 15  Debug [NetEventSessionManagerProxy] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [NetEventSessionManagerProxy] Started
2020-07-29 08:38:28.3817 6584 15  Debug [NetworkListener] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [NetworkListener] Started
2020-07-29 08:38:28.3817 6584 15  Debug [CenterTelemetryManagerProxy] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [CenterTelemetryManagerProxy] Started
2020-07-29 08:38:28.3817 6584 15  Debug [GatewayTelemetryManager] Starting
2020-07-29 08:38:28.3817 6584 15  Debug [GatewayTelemetryManager] Started
2020-07-29 08:38:28.3817 6584 15  Debug [GatewayModuleManager] Started
2020-07-29 08:38:28.3973 6584 5   Debug [GatewayService] Started
2020-07-29 08:38:38.4588 6584 5   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:38:38.4744 6584 17  Debug [NetworkListener] Compiling OPN files
2020-07-29 08:38:39.0589 6584 17  Debug [NetworkListener] Recompiling module assembly 'InfrastructureResources'
2020-07-29 08:38:43.8056 6584 23  Debug [DirectoryServicesResolver] Domain controller [DnsName=dc.windomain.local IsReadOnly=False IpAddresses=]
2020-07-29 08:38:44.3950 6584 23  Info  [GatewayConfigurationManager] Mutable property changed [Type=DirectoryServicesResolverConfiguration oldModuleConfiguration={
  "DirectoryEntityCacheConfiguration": {
    "ShardCount": 1,
    "MultiLruDictionaryConfiguration": {
      "MaxSize": 100000,
      "Policy": "MultiValue",
      "Timeout": "10675199.02:48:05.4775807"
    },
    "BackgroundRemoveOldConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "NegativeDirectoryEntityCacheConfiguration": {
    "ShardCount": 1,
    "MultiLruDictionaryConfiguration": {
      "MaxSize": 10000,
      "Policy": "MultiValue",
      "Timeout": "01:00:00"
    },
    "BackgroundRemoveOldConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "UpdateDirectoryEntityChangesBatchSizeThreshold": 10000,
  "UpdateDirectoryEntityChangesBlockBoundedCapacity": 100000,
  "UpdateDirectoryEntityChangesBlockParallelismDegree": 50,
  "UpdateDirectoryEntityChangesInitialUsnRange": 5000000,
  "UpdateForestGlobalsConfiguration": {
    "Interval": "1.00:00:00",
    "IsEnabled": true
  },
  "UpdateDirectoryEntityChangesConfiguration": {
    "Interval": "00:01:00",
    "IsEnabled": false
  },
  "UpdateDomainControllerIpAddressesConfiguration": {
    "Interval": "00:10:00",
    "IsEnabled": true
  }
} newModuleConfiguration={
  "DirectoryEntityCacheConfiguration": {
    "ShardCount": 1,
    "MultiLruDictionaryConfiguration": {
      "MaxSize": 100000,
      "Policy": "MultiValue",
      "Timeout": "10675199.02:48:05.4775807"
    },
    "BackgroundRemoveOldConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "NegativeDirectoryEntityCacheConfiguration": {
    "ShardCount": 1,
    "MultiLruDictionaryConfiguration": {
      "MaxSize": 10000,
      "Policy": "MultiValue",
      "Timeout": "01:00:00"
    },
    "BackgroundRemoveOldConfiguration": {
      "Interval": "00:01:00",
      "IsEnabled": true
    }
  },
  "UpdateDirectoryEntityChangesBatchSizeThreshold": 10000,
  "UpdateDirectoryEntityChangesBlockBoundedCapacity": 100000,
  "UpdateDirectoryEntityChangesBlockParallelismDegree": 50,
  "UpdateDirectoryEntityChangesInitialUsnRange": 5000000,
  "UpdateForestGlobalsConfiguration": {
    "Interval": "1.00:00:00",
    "IsEnabled": true
  },
  "UpdateDirectoryEntityChangesConfiguration": {
    "Interval": "00:01:00",
    "IsEnabled": true
  },
  "UpdateDomainControllerIpAddressesConfiguration": {
    "Interval": "00:10:00",
    "IsEnabled": true
  }
}]
2020-07-29 08:38:44.9658 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\InfrastructureResources_7c75097654754987c0b113cbdd5013df_4_0_7587_0.dll'
2020-07-29 08:38:44.9658 6584 17  Debug [NetworkListener] Loaded cached assembly 'InfrastructureResources_7c75097654754987c0b113cbdd5013df_4_0_7587_0.dll'
2020-07-29 08:38:44.9658 6584 17  Debug [NetworkListener] Recompiling module assembly 'Utility'
2020-07-29 08:38:47.4809 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Utility_8f495fadbec85dbf087bca8531b45a12_4_0_7587_0.dll'
2020-07-29 08:38:47.4809 6584 17  Debug [NetworkListener] Loaded cached assembly 'Utility_8f495fadbec85dbf087bca8531b45a12_4_0_7587_0.dll'
2020-07-29 08:38:47.4965 6584 17  Debug [NetworkListener] Recompiling module assembly 'GRE'
2020-07-29 08:38:47.8101 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GRE_017891ae3f2ae2fbb5d210f46b4bf790_4_0_7587_0.dll'
2020-07-29 08:38:47.8101 6584 17  Debug [NetworkListener] Loaded cached assembly 'GRE_017891ae3f2ae2fbb5d210f46b4bf790_4_0_7587_0.dll'
2020-07-29 08:38:47.8412 6584 17  Debug [NetworkListener] Recompiling module assembly 'IANA'
2020-07-29 08:38:49.2652 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IANA_d04a30eece2045e4fbe2914a5d37798a_4_0_7587_0.dll'
2020-07-29 08:38:49.2652 6584 17  Debug [NetworkListener] Loaded cached assembly 'IANA_d04a30eece2045e4fbe2914a5d37798a_4_0_7587_0.dll'
2020-07-29 08:38:49.2852 6584 17  Debug [NetworkListener] Recompiling module assembly 'ReassembledTCP'
2020-07-29 08:38:49.5196 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ReassembledTCP_c34f86a7dc4fce046b8a91c499d561f1_4_0_7587_0.dll'
2020-07-29 08:38:49.5196 6584 17  Debug [NetworkListener] Loaded cached assembly 'ReassembledTCP_c34f86a7dc4fce046b8a91c499d561f1_4_0_7587_0.dll'
2020-07-29 08:38:49.5353 6584 17  Debug [NetworkListener] Recompiling module assembly 'CoreNetworkingResources'
2020-07-29 08:38:49.7071 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CoreNetworkingResources_e973be36a39b8f19352aeaaf16b3fe25_4_0_7587_0.dll'
2020-07-29 08:38:49.7071 6584 17  Debug [NetworkListener] Loaded cached assembly 'CoreNetworkingResources_e973be36a39b8f19352aeaaf16b3fe25_4_0_7587_0.dll'
2020-07-29 08:38:49.7071 6584 17  Debug [NetworkListener] Recompiling module assembly 'Reassembly'
2020-07-29 08:38:50.1320 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Reassembly_41478d4414235cb601f75cae6d3f62d4_4_0_7587_0.dll'
2020-07-29 08:38:50.1320 6584 17  Debug [NetworkListener] Loaded cached assembly 'Reassembly_41478d4414235cb601f75cae6d3f62d4_4_0_7587_0.dll'
2020-07-29 08:38:50.1523 6584 17  Debug [NetworkListener] Recompiling module assembly 'IPv4'
2020-07-29 08:38:50.5742 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IPv4_e9026598843665bfedf18c575c96b401_4_0_7587_0.dll'
2020-07-29 08:38:50.5742 6584 17  Debug [NetworkListener] Loaded cached assembly 'IPv4_e9026598843665bfedf18c575c96b401_4_0_7587_0.dll'
2020-07-29 08:38:50.6054 6584 17  Debug [NetworkListener] Recompiling module assembly 'IP1394'
2020-07-29 08:38:50.9136 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IP1394_ec35c7db1bc51d905391627ad5d4bd96_4_0_7587_0.dll'
2020-07-29 08:38:50.9136 6584 17  Debug [NetworkListener] Loaded cached assembly 'IP1394_ec35c7db1bc51d905391627ad5d4bd96_4_0_7587_0.dll'
2020-07-29 08:38:51.8420 6584 17  Debug [NetworkListener] Recompiling module assembly 'Ethernet'
2020-07-29 08:38:52.1550 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Ethernet_1881651cfff727b21eb770a9f9453e34_4_0_7587_0.dll'
2020-07-29 08:38:52.1550 6584 17  Debug [NetworkListener] Loaded cached assembly 'Ethernet_1881651cfff727b21eb770a9f9453e34_4_0_7587_0.dll'
2020-07-29 08:38:53.3081 6584 17  Debug [NetworkListener] Recompiling module assembly 'IPv6'
2020-07-29 08:38:53.7281 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IPv6_daa42f19cd145777fabf7ac0b963b34f_4_0_7587_0.dll'
2020-07-29 08:38:53.7281 6584 17  Debug [NetworkListener] Loaded cached assembly 'IPv6_daa42f19cd145777fabf7ac0b963b34f_4_0_7587_0.dll'
2020-07-29 08:38:55.7342 6584 17  Debug [NetworkListener] Recompiling module assembly 'TCP'
2020-07-29 08:38:56.6501 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TCP_e2e92ed303168eba132f4d2889901c0f_4_0_7587_0.dll'
2020-07-29 08:38:56.6501 6584 17  Debug [NetworkListener] Loaded cached assembly 'TCP_e2e92ed303168eba132f4d2889901c0f_4_0_7587_0.dll'
2020-07-29 08:38:59.8852 6584 17  Debug [NetworkListener] Recompiling module assembly 'UDP'
2020-07-29 08:39:00.1462 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\UDP_4fa12d228c06fe93b66812f2d1c000fa_4_0_7587_0.dll'
2020-07-29 08:39:00.1462 6584 17  Debug [NetworkListener] Loaded cached assembly 'UDP_4fa12d228c06fe93b66812f2d1c000fa_4_0_7587_0.dll'
2020-07-29 08:39:01.3027 6584 17  Debug [NetworkListener] Recompiling module assembly 'ICMP'
2020-07-29 08:39:04.2789 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ICMP_57dc2f6154d075ee80e48250323dc962_4_0_7587_0.dll'
2020-07-29 08:39:04.2789 6584 17  Debug [NetworkListener] Loaded cached assembly 'ICMP_57dc2f6154d075ee80e48250323dc962_4_0_7587_0.dll'
2020-07-29 08:39:06.5633 6584 17  Debug [NetworkListener] Recompiling module assembly 'ERREF'
2020-07-29 08:39:14.1581 6584 19  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:39:14.5141 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ERREF_0424ab69f90140a0b223d4bcd6f202ac_4_0_7587_0.dll'
2020-07-29 08:39:14.5141 6584 17  Debug [NetworkListener] Loaded cached assembly 'ERREF_0424ab69f90140a0b223d4bcd6f202ac_4_0_7587_0.dll'
2020-07-29 08:39:14.5141 6584 17  Debug [NetworkListener] Recompiling module assembly 'WfpUtility'
2020-07-29 08:39:14.9194 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WfpUtility_2b98b4becc0f1708583595226e7494f3_4_0_7587_0.dll'
2020-07-29 08:39:14.9194 6584 17  Debug [NetworkListener] Loaded cached assembly 'WfpUtility_2b98b4becc0f1708583595226e7494f3_4_0_7587_0.dll'
2020-07-29 08:39:14.9340 6584 17  Debug [NetworkListener] Recompiling module assembly 'WFPCapture'
2020-07-29 08:39:16.1196 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WFPCapture_6e97a2e2078fc2b9fd853d1d2dc50fff_4_0_7587_0.dll'
2020-07-29 08:39:16.1196 6584 17  Debug [NetworkListener] Loaded cached assembly 'WFPCapture_6e97a2e2078fc2b9fd853d1d2dc50fff_4_0_7587_0.dll'
2020-07-29 08:39:17.8262 6584 17  Debug [NetworkListener] Recompiling module assembly 'X509'
2020-07-29 08:39:21.6764 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\X509_ef5ce6f94852dccc7a0591bb7e7a26a5_4_0_7587_0.dll'
2020-07-29 08:39:21.6764 6584 17  Debug [NetworkListener] Loaded cached assembly 'X509_ef5ce6f94852dccc7a0591bb7e7a26a5_4_0_7587_0.dll'
2020-07-29 08:39:21.7001 6584 17  Debug [NetworkListener] Recompiling module assembly 'MicrosoftCommonResources'
2020-07-29 08:39:21.8911 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\MicrosoftCommonResources_ce18f767b75b9c811a6e7e0170e9f01e_4_0_7587_0.dll'
2020-07-29 08:39:21.8911 6584 17  Debug [NetworkListener] Loaded cached assembly 'MicrosoftCommonResources_ce18f767b75b9c811a6e7e0170e9f01e_4_0_7587_0.dll'
2020-07-29 08:39:21.8962 6584 17  Debug [NetworkListener] Recompiling module assembly 'KerberosV5'
2020-07-29 08:39:24.0478 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\KerberosV5_df67bd38df39aee184f2207c06aca59a_4_0_7587_0.dll'
2020-07-29 08:39:24.0478 6584 17  Debug [NetworkListener] Loaded cached assembly 'KerberosV5_df67bd38df39aee184f2207c06aca59a_4_0_7587_0.dll'
2020-07-29 08:39:25.8398 6584 17  Debug [NetworkListener] Recompiling module assembly 'SPNG'
2020-07-29 08:39:26.1084 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SPNG_dcdb65adda9e97beb2eee5701647085e_4_0_7587_0.dll'
2020-07-29 08:39:26.1084 6584 17  Debug [NetworkListener] Loaded cached assembly 'SPNG_dcdb65adda9e97beb2eee5701647085e_4_0_7587_0.dll'
2020-07-29 08:39:26.1218 6584 17  Debug [NetworkListener] Recompiling module assembly 'DTYP'
2020-07-29 08:39:27.6318 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DTYP_4199acf0eb5fb905f2a0de12c35eebb2_4_0_7587_0.dll'
2020-07-29 08:39:27.6318 6584 17  Debug [NetworkListener] Loaded cached assembly 'DTYP_4199acf0eb5fb905f2a0de12c35eebb2_4_0_7587_0.dll'
2020-07-29 08:39:27.6474 6584 17  Debug [NetworkListener] Recompiling module assembly 'NLMP'
2020-07-29 08:39:28.0224 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NLMP_1b919357fe00e9544a56aa364da61a49_4_0_7587_0.dll'
2020-07-29 08:39:28.0224 6584 17  Debug [NetworkListener] Loaded cached assembly 'NLMP_1b919357fe00e9544a56aa364da61a49_4_0_7587_0.dll'
2020-07-29 08:39:28.0338 6584 17  Debug [NetworkListener] Recompiling module assembly 'GSSAPIKRB5'
2020-07-29 08:39:28.3815 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GSSAPIKRB5_6754fa32d88e8595adbbb01922ecbd53_4_0_7587_0.dll'
2020-07-29 08:39:28.3815 6584 17  Debug [NetworkListener] Loaded cached assembly 'GSSAPIKRB5_6754fa32d88e8595adbbb01922ecbd53_4_0_7587_0.dll'
2020-07-29 08:39:28.3956 6584 17  Debug [NetworkListener] Recompiling module assembly 'GSSAPI'
2020-07-29 08:39:28.7237 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\GSSAPI_2911f93208236408d48f9d9badb8157c_4_0_7587_0.dll'
2020-07-29 08:39:28.7237 6584 17  Debug [NetworkListener] Loaded cached assembly 'GSSAPI_2911f93208236408d48f9d9badb8157c_4_0_7587_0.dll'
2020-07-29 08:39:28.7862 6584 17  Debug [NetworkListener] Recompiling module assembly 'DNS'
2020-07-29 08:39:29.5565 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DNS_ea8aeeee348c5c63fc4ee4d2570c6ac9_4_0_7587_0.dll'
2020-07-29 08:39:29.5565 6584 17  Debug [NetworkListener] Loaded cached assembly 'DNS_ea8aeeee348c5c63fc4ee4d2570c6ac9_4_0_7587_0.dll'
2020-07-29 08:39:32.5915 6584 17  Debug [NetworkListener] Recompiling module assembly 'ABNF'
2020-07-29 08:39:32.8884 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ABNF_892875283a4bdb8915030a4bfb11b857_4_0_7587_0.dll'
2020-07-29 08:39:32.8884 6584 17  Debug [NetworkListener] Loaded cached assembly 'ABNF_892875283a4bdb8915030a4bfb11b857_4_0_7587_0.dll'
2020-07-29 08:39:32.9040 6584 17  Debug [NetworkListener] Recompiling module assembly 'HTTP'
2020-07-29 08:39:50.9593 6584 14  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.1624 6584 15  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.1624 6584 19  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.1624 6584 18  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.1781 6584 5   Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.1781 6584 9   Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.3968 6584 11  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:51.3968 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:39:51.9429 6584 10  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:52.0928 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\HTTP_8b220c6b56e44be5d7888c6f202350e2_4_0_7587_0.dll'
2020-07-29 08:39:52.0928 6584 17  Debug [NetworkListener] Loaded cached assembly 'HTTP_8b220c6b56e44be5d7888c6f202350e2_4_0_7587_0.dll'
2020-07-29 08:39:52.0928 6584 14  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:52.0928 6584 19  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:52.0928 6584 15  Debug [DirectoryServicesResolver] Read Kerberos policy [Domain=windomain.local MaxTicketAge=10:00:00 MaxRenewAge=7.00:00:00]
2020-07-29 08:39:53.2357 6584 17  Debug [NetworkListener] Recompiling module assembly 'OCSP'
2020-07-29 08:39:53.7101 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OCSP_0af750659716e8a8043d835c5c2ed9f2_4_0_7587_0.dll'
2020-07-29 08:39:53.7101 6584 17  Debug [NetworkListener] Loaded cached assembly 'OCSP_0af750659716e8a8043d835c5c2ed9f2_4_0_7587_0.dll'
2020-07-29 08:39:54.7801 6584 17  Debug [NetworkListener] Recompiling module assembly 'TLS'
2020-07-29 08:39:56.1558 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TLS_d0c9d0bee7097eeab76740d42864211b_4_0_7587_0.dll'
2020-07-29 08:39:56.1558 6584 17  Debug [NetworkListener] Loaded cached assembly 'TLS_d0c9d0bee7097eeab76740d42864211b_4_0_7587_0.dll'
2020-07-29 08:39:56.7128 6584 17  Debug [NetworkListener] Recompiling module assembly 'RPCH'
2020-07-29 08:39:58.4035 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\RPCH_9c8466a6cbd175d08e10b7a034214a63_4_0_7587_0.dll'
2020-07-29 08:39:58.4035 6584 17  Debug [NetworkListener] Loaded cached assembly 'RPCH_9c8466a6cbd175d08e10b7a034214a63_4_0_7587_0.dll'
2020-07-29 08:39:59.9753 6584 17  Debug [NetworkListener] Recompiling module assembly 'MSRPCE'
2020-07-29 08:40:06.3509 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\MSRPCE_016bc621835345f616739d839aec44c1_4_0_7587_0.dll'
2020-07-29 08:40:06.3509 6584 17  Debug [NetworkListener] Loaded cached assembly 'MSRPCE_016bc621835345f616739d839aec44c1_4_0_7587_0.dll'
2020-07-29 08:40:08.9432 6584 17  Debug [NetworkListener] Recompiling module assembly 'DCOM'
2020-07-29 08:40:13.4991 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DCOM_1946afb16adde166d22f6beb42251422_4_0_7587_0.dll'
2020-07-29 08:40:13.4991 6584 17  Debug [NetworkListener] Loaded cached assembly 'DCOM_1946afb16adde166d22f6beb42251422_4_0_7587_0.dll'
2020-07-29 08:40:18.1825 6584 17  Debug [NetworkListener] Recompiling module assembly 'WiFi'
2020-07-29 08:40:22.6289 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:40:23.8336 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WiFi_92c395eb14a2f2d8cbd78d832ba4d067_4_0_7587_0.dll'
2020-07-29 08:40:23.8336 6584 17  Debug [NetworkListener] Loaded cached assembly 'WiFi_92c395eb14a2f2d8cbd78d832ba4d067_4_0_7587_0.dll'
2020-07-29 08:40:23.8648 6584 17  Debug [NetworkListener] Recompiling module assembly 'LLC'
2020-07-29 08:40:24.0999 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LLC_d8d3f9800c37f1ba4aaa634b3d0ab6ad_4_0_7587_0.dll'
2020-07-29 08:40:24.0999 6584 17  Debug [NetworkListener] Loaded cached assembly 'LLC_d8d3f9800c37f1ba4aaa634b3d0ab6ad_4_0_7587_0.dll'
2020-07-29 08:40:25.0314 6584 17  Debug [NetworkListener] Recompiling module assembly 'LinuxCookedMode'
2020-07-29 08:40:25.2971 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LinuxCookedMode_4adb7402ba2a8a19dddc2ca5ef96d2b2_4_0_7587_0.dll'
2020-07-29 08:40:25.2971 6584 17  Debug [NetworkListener] Loaded cached assembly 'LinuxCookedMode_4adb7402ba2a8a19dddc2ca5ef96d2b2_4_0_7587_0.dll'
2020-07-29 08:40:25.3127 6584 17  Debug [NetworkListener] Recompiling module assembly 'OthersResources'
2020-07-29 08:40:25.5278 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OthersResources_64bdf6c19535ab1a21080983f82e449e_4_0_7587_0.dll'
2020-07-29 08:40:25.5278 6584 17  Debug [NetworkListener] Loaded cached assembly 'OthersResources_64bdf6c19535ab1a21080983f82e449e_4_0_7587_0.dll'
2020-07-29 08:40:25.5523 6584 17  Debug [NetworkListener] Recompiling module assembly 'IdentityAndSecurityResources'
2020-07-29 08:40:25.7463 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\IdentityAndSecurityResources_94ba40c1eacb299f64c96a9f331023db_4_0_7587_0.dll'
2020-07-29 08:40:25.7463 6584 17  Debug [NetworkListener] Loaded cached assembly 'IdentityAndSecurityResources_94ba40c1eacb299f64c96a9f331023db_4_0_7587_0.dll'
2020-07-29 08:40:25.7503 6584 17  Debug [NetworkListener] Recompiling module assembly 'SCMR'
2020-07-29 08:40:29.1494 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SCMR_aed4e5b953b8ce0ee3fa75efd9780356_4_0_7587_0.dll'
2020-07-29 08:40:29.1494 6584 17  Debug [NetworkListener] Loaded cached assembly 'SCMR_aed4e5b953b8ce0ee3fa75efd9780356_4_0_7587_0.dll'
2020-07-29 08:40:30.5423 6584 17  Debug [NetworkListener] Recompiling module assembly 'NBTNS'
2020-07-29 08:40:30.9631 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBTNS_1f23f634cab281544dfd532c01f6433c_4_0_7587_0.dll'
2020-07-29 08:40:30.9631 6584 17  Debug [NetworkListener] Loaded cached assembly 'NBTNS_1f23f634cab281544dfd532c01f6433c_4_0_7587_0.dll'
2020-07-29 08:40:31.8781 6584 17  Debug [NetworkListener] Recompiling module assembly 'LSA'
2020-07-29 08:40:42.2496 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LSA_0d332d97fd1f4dc0d7851ce5883dfce4_4_0_7587_0.dll'
2020-07-29 08:40:42.2496 6584 17  Debug [NetworkListener] Loaded cached assembly 'LSA_0d332d97fd1f4dc0d7851ce5883dfce4_4_0_7587_0.dll'
2020-07-29 08:40:44.8318 6584 17  Debug [NetworkListener] Recompiling module assembly 'OAUT'
2020-07-29 08:40:45.2693 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\OAUT_47c26755210cbd1290a712cd2547fdf2_4_0_7587_0.dll'
2020-07-29 08:40:45.2693 6584 17  Debug [NetworkListener] Loaded cached assembly 'OAUT_47c26755210cbd1290a712cd2547fdf2_4_0_7587_0.dll'
2020-07-29 08:40:45.2789 6584 17  Debug [NetworkListener] Recompiling module assembly 'SAMR'
2020-07-29 08:40:51.1686 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SAMR_5cb1e57e7b755c9d5f66a05baca36a49_4_0_7587_0.dll'
2020-07-29 08:40:51.1686 6584 17  Debug [NetworkListener] Loaded cached assembly 'SAMR_5cb1e57e7b755c9d5f66a05baca36a49_4_0_7587_0.dll'
2020-07-29 08:40:52.7599 6584 10  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:40:54.5364 6584 17  Debug [NetworkListener] Recompiling module assembly 'NBTSS'
2020-07-29 08:40:54.8489 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBTSS_004d58449f5dcb6c067cdc3daab90500_4_0_7587_0.dll'
2020-07-29 08:40:54.8645 6584 17  Debug [NetworkListener] Loaded cached assembly 'NBTSS_004d58449f5dcb6c067cdc3daab90500_4_0_7587_0.dll'
2020-07-29 08:40:55.5442 6584 17  Debug [NetworkListener] Recompiling module assembly 'WiFiChannelInfo'
2020-07-29 08:40:56.0583 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WiFiChannelInfo_ff913bc914072da249c66550243da92b_4_0_7587_0.dll'
2020-07-29 08:40:56.0583 6584 17  Debug [NetworkListener] Loaded cached assembly 'WiFiChannelInfo_ff913bc914072da249c66550243da92b_4_0_7587_0.dll'
2020-07-29 08:40:56.0895 6584 17  Debug [NetworkListener] Recompiling module assembly 'NdisEtwProvider'
2020-07-29 08:40:56.5583 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NdisEtwProvider_c25d3e80e4f1f8a93e4875806dd42886_4_0_7587_0.dll'
2020-07-29 08:40:56.5583 6584 17  Debug [NetworkListener] Loaded cached assembly 'NdisEtwProvider_c25d3e80e4f1f8a93e4875806dd42886_4_0_7587_0.dll'
2020-07-29 08:40:57.8539 6584 17  Debug [NetworkListener] Recompiling module assembly 'PefNdisProvider'
2020-07-29 08:40:58.1564 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PefNdisProvider_775d055f4982c26c0f9ea64f7c1fa8cc_4_0_7587_0.dll'
2020-07-29 08:40:58.1564 6584 17  Debug [NetworkListener] Loaded cached assembly 'PefNdisProvider_775d055f4982c26c0f9ea64f7c1fa8cc_4_0_7587_0.dll'
2020-07-29 08:41:00.1254 6584 17  Debug [NetworkListener] Recompiling module assembly 'PPP'
2020-07-29 08:41:00.4504 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PPP_c35103f266be097da6faf13f14956dd8_4_0_7587_0.dll'
2020-07-29 08:41:00.4504 6584 17  Debug [NetworkListener] Loaded cached assembly 'PPP_c35103f266be097da6faf13f14956dd8_4_0_7587_0.dll'
2020-07-29 08:41:02.5096 6584 17  Debug [NetworkListener] Recompiling module assembly 'WindowsReference'
2020-07-29 08:41:02.9750 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WindowsReference_12d1425bd05d5c141c97a31480a1940f_4_0_7587_0.dll'
2020-07-29 08:41:02.9750 6584 17  Debug [NetworkListener] Loaded cached assembly 'WindowsReference_12d1425bd05d5c141c97a31480a1940f_4_0_7587_0.dll'
2020-07-29 08:41:03.0062 6584 17  Debug [NetworkListener] Recompiling module assembly 'DRSR'
2020-07-29 08:41:29.5028 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:41:33.3652 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\DRSR_dca30d34047024780637b88c1bdcd453_4_0_7587_0.dll'
2020-07-29 08:41:33.3652 6584 17  Debug [NetworkListener] Loaded cached assembly 'DRSR_dca30d34047024780637b88c1bdcd453_4_0_7587_0.dll'
2020-07-29 08:41:38.6173 6584 17  Debug [NetworkListener] Recompiling module assembly 'CombinedParser'
2020-07-29 08:41:39.0516 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CombinedParser_799185d65b4b52e0e29f8d9952c63638_4_0_7587_0.dll'
2020-07-29 08:41:39.0516 6584 17  Debug [NetworkListener] Loaded cached assembly 'CombinedParser_799185d65b4b52e0e29f8d9952c63638_4_0_7587_0.dll'
2020-07-29 08:41:43.4615 6584 17  Debug [NetworkListener] Recompiling module assembly 'Radiotap'
2020-07-29 08:41:43.8835 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Radiotap_75dc12b1828d6f12d1751121af8e8f28_4_0_7587_0.dll'
2020-07-29 08:41:43.8835 6584 17  Debug [NetworkListener] Loaded cached assembly 'Radiotap_75dc12b1828d6f12d1751121af8e8f28_4_0_7587_0.dll'
2020-07-29 08:41:43.9145 6584 17  Debug [NetworkListener] Recompiling module assembly 'Digest'
2020-07-29 08:41:44.4435 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\Digest_7520f612cc12205df045ecbb4a9d7101_4_0_7587_0.dll'
2020-07-29 08:41:44.4435 6584 17  Debug [NetworkListener] Loaded cached assembly 'Digest_7520f612cc12205df045ecbb4a9d7101_4_0_7587_0.dll'
2020-07-29 08:41:44.4452 6584 17  Debug [NetworkListener] Recompiling module assembly 'SASL'
2020-07-29 08:41:44.7576 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SASL_9fcce4f88425ff1b75e88161cc4c7880_4_0_7587_0.dll'
2020-07-29 08:41:44.7576 6584 17  Debug [NetworkListener] Loaded cached assembly 'SASL_9fcce4f88425ff1b75e88161cc4c7880_4_0_7587_0.dll'
2020-07-29 08:41:44.7732 6584 17  Debug [NetworkListener] Recompiling module assembly 'SMBOverTCP'
2020-07-29 08:41:45.0262 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMBOverTCP_eb7be4739f08df1b51f7172953d78792_4_0_7587_0.dll'
2020-07-29 08:41:45.0262 6584 17  Debug [NetworkListener] Loaded cached assembly 'SMBOverTCP_eb7be4739f08df1b51f7172953d78792_4_0_7587_0.dll'
2020-07-29 08:41:45.0961 6584 17  Debug [NetworkListener] Recompiling module assembly 'FAS'
2020-07-29 08:41:45.3618 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FAS_6dd8139565f6a7c5def3b6a26e16f08d_4_0_7587_0.dll'
2020-07-29 08:41:45.3618 6584 17  Debug [NetworkListener] Loaded cached assembly 'FAS_6dd8139565f6a7c5def3b6a26e16f08d_4_0_7587_0.dll'
2020-07-29 08:41:45.3774 6584 17  Debug [NetworkListener] Recompiling module assembly 'NBF'
2020-07-29 08:41:45.9858 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\NBF_e3852cb859be4ad5ecd54a9950fb5a28_4_0_7587_0.dll'
2020-07-29 08:41:45.9858 6584 17  Debug [NetworkListener] Loaded cached assembly 'NBF_e3852cb859be4ad5ecd54a9950fb5a28_4_0_7587_0.dll'
2020-07-29 08:41:46.9317 6584 17  Debug [NetworkListener] Recompiling module assembly 'SMBTransport'
2020-07-29 08:41:49.9136 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMBTransport_2c1b9935a9beb1c9c8749c943a03f5c5_4_0_7587_0.dll'
2020-07-29 08:41:49.9136 6584 17  Debug [NetworkListener] Loaded cached assembly 'SMBTransport_2c1b9935a9beb1c9c8749c943a03f5c5_4_0_7587_0.dll'
2020-07-29 08:41:57.1973 6584 17  Debug [NetworkListener] Recompiling module assembly 'EPM'
2020-07-29 08:41:59.5597 6584 6   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:41:59.6535 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\EPM_032874d04ce88eb14d34d28fa7a6f571_4_0_7587_0.dll'
2020-07-29 08:41:59.6535 6584 17  Debug [NetworkListener] Loaded cached assembly 'EPM_032874d04ce88eb14d34d28fa7a6f571_4_0_7587_0.dll'
2020-07-29 08:42:01.1787 6584 17  Debug [NetworkListener] Recompiling module assembly 'FSCC'
2020-07-29 08:42:12.3812 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FSCC_1ce730ffdcbfdab1d0cfccb077097bda_4_0_7587_0.dll'
2020-07-29 08:42:12.3812 6584 17  Debug [NetworkListener] Loaded cached assembly 'FSCC_1ce730ffdcbfdab1d0cfccb077097bda_4_0_7587_0.dll'
2020-07-29 08:42:12.4131 6584 17  Debug [NetworkListener] Recompiling module assembly 'FileSharingResources'
2020-07-29 08:42:12.5941 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\FileSharingResources_bc955ec4e751f1d7f84a3132e3c67a00_4_0_7587_0.dll'
2020-07-29 08:42:12.5941 6584 17  Debug [NetworkListener] Loaded cached assembly 'FileSharingResources_bc955ec4e751f1d7f84a3132e3c67a00_4_0_7587_0.dll'
2020-07-29 08:42:12.6091 6584 17  Debug [NetworkListener] Recompiling module assembly 'SMB'
2020-07-29 08:42:23.2839 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMB_e9d4b475af4f8ccbb06c2f2fbe395b5a_4_0_7587_0.dll'
2020-07-29 08:42:23.2839 6584 17  Debug [NetworkListener] Loaded cached assembly 'SMB_e9d4b475af4f8ccbb06c2f2fbe395b5a_4_0_7587_0.dll'
2020-07-29 08:42:31.8910 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:42:34.8013 6584 17  Debug [NetworkListener] Recompiling module assembly 'SRVS'
2020-07-29 08:42:38.9515 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SRVS_6c3e0de06ce6dd35c27e9dff4ba781a0_4_0_7587_0.dll'
2020-07-29 08:42:38.9515 6584 17  Debug [NetworkListener] Loaded cached assembly 'SRVS_6c3e0de06ce6dd35c27e9dff4ba781a0_4_0_7587_0.dll'
2020-07-29 08:42:40.3486 6584 17  Debug [NetworkListener] Recompiling module assembly 'ERF'
2020-07-29 08:42:40.6186 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\ERF_fc059de6a721976592bc02a67ad246b1_4_0_7587_0.dll'
2020-07-29 08:42:40.6186 6584 17  Debug [NetworkListener] Loaded cached assembly 'ERF_fc059de6a721976592bc02a67ad246b1_4_0_7587_0.dll'
2020-07-29 08:42:40.6227 6584 17  Debug [NetworkListener] Recompiling module assembly 'WMI'
2020-07-29 08:42:45.1746 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\WMI_2f62b36a315fb638e19e80a4b9c17e8c_4_0_7587_0.dll'
2020-07-29 08:42:45.1746 6584 17  Debug [NetworkListener] Loaded cached assembly 'WMI_2f62b36a315fb638e19e80a4b9c17e8c_4_0_7587_0.dll'
2020-07-29 08:43:02.6888 6584 11  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:43:02.9188 6584 17  Debug [NetworkListener] Recompiling module assembly 'PCCRC'
2020-07-29 08:43:03.4480 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PCCRC_07727941628446634e371d36f98cd1c3_4_0_7587_0.dll'
2020-07-29 08:43:03.4480 6584 17  Debug [NetworkListener] Loaded cached assembly 'PCCRC_07727941628446634e371d36f98cd1c3_4_0_7587_0.dll'
2020-07-29 08:43:03.4637 6584 17  Debug [NetworkListener] Recompiling module assembly 'SMB2'
2020-07-29 08:43:11.9865 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\SMB2_61a745a9a6f49f7a967f8d7de3cb1e43_4_0_7587_0.dll'
2020-07-29 08:43:11.9865 6584 17  Debug [NetworkListener] Loaded cached assembly 'SMB2_61a745a9a6f49f7a967f8d7de3cb1e43_4_0_7587_0.dll'
2020-07-29 08:43:15.6872 6584 17  Debug [NetworkListener] Recompiling module assembly 'PcapFileActors'
2020-07-29 08:43:15.9059 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PcapFileActors_eb1c5085186d410487b78ea1d6cb286c_4_0_7587_0.dll'
2020-07-29 08:43:15.9059 6584 17  Debug [NetworkListener] Loaded cached assembly 'PcapFileActors_eb1c5085186d410487b78ea1d6cb286c_4_0_7587_0.dll'
2020-07-29 08:43:17.6377 6584 17  Debug [NetworkListener] Recompiling module assembly 'PPPoE'
2020-07-29 08:43:17.9346 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\PPPoE_efe332ffe6904b2560ba4d9cf25a0b67_4_0_7587_0.dll'
2020-07-29 08:43:17.9346 6584 17  Debug [NetworkListener] Loaded cached assembly 'PPPoE_efe332ffe6904b2560ba4d9cf25a0b67_4_0_7587_0.dll'
2020-07-29 08:43:20.3175 6584 17  Debug [NetworkListener] Recompiling module assembly 'LDAPDecodingHelper'
2020-07-29 08:43:20.6035 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LDAPDecodingHelper_199bfaed740a57a1d76220bbe45b1b9c_4_0_7587_0.dll'
2020-07-29 08:43:20.6035 6584 17  Debug [NetworkListener] Loaded cached assembly 'LDAPDecodingHelper_199bfaed740a57a1d76220bbe45b1b9c_4_0_7587_0.dll'
2020-07-29 08:43:20.6302 6584 17  Debug [NetworkListener] Recompiling module assembly 'TSCH'
2020-07-29 08:43:25.1194 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\TSCH_2d68ca7aeb99b932d0830751592fd3c2_4_0_7587_0.dll'
2020-07-29 08:43:25.1194 6584 17  Debug [NetworkListener] Loaded cached assembly 'TSCH_2d68ca7aeb99b932d0830751592fd3c2_4_0_7587_0.dll'
2020-07-29 08:43:31.1795 6584 17  Debug [NetworkListener] Recompiling module assembly 'LDAP'
2020-07-29 08:43:32.9591 6584 19  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:43:35.1135 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\LDAP_8d4d59778ee7fb2e599a68b44060bcd7_4_0_7587_0.dll'
2020-07-29 08:43:35.1135 6584 17  Debug [NetworkListener] Loaded cached assembly 'LDAP_8d4d59778ee7fb2e599a68b44060bcd7_4_0_7587_0.dll'
2020-07-29 08:43:37.6875 6584 17  Debug [NetworkListener] Recompiling module assembly 'CLDAP'
2020-07-29 08:43:37.9375 6584 17  Debug [NetworkListener] Module assembly saved 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Pef\Cache\CLDAP_23fd6f2c85a592e9121bd3f7c21c6390_4_0_7587_0.dll'
2020-07-29 08:43:37.9375 6584 17  Debug [NetworkListener] Loaded cached assembly 'CLDAP_23fd6f2c85a592e9121bd3f7c21c6390_4_0_7587_0.dll'
2020-07-29 08:43:38.4296 6584 17  Debug [NetworkListener] Compiled OPN files
2020-07-29 08:44:03.2416 6584 7   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:44:33.2557 6584 6   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:45:03.2573 6584 17  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:45:33.2846 6584 21  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:46:03.2896 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:46:33.3046 6584 13  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:47:03.4258 6584 13  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:47:33.6303 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:48:03.6389 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:48:33.6499 6584 8   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:48:43.8489 6584 22  Debug [DirectoryServicesResolver] Domain controller [DnsName=dc.windomain.local IsReadOnly=False IpAddresses=192.168.38.102]
2020-07-29 08:49:03.6526 6584 4   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:49:33.6657 6584 4   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:50:03.6772 6584 7   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:50:33.6934 6584 9   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:51:03.7095 6584 14  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:51:33.7123 6584 13  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:52:03.7164 6584 4   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:52:33.7207 6584 21  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:53:03.7234 6584 4   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:53:33.7352 6584 21  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:54:03.7380 6584 7   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:54:33.7414 6584 4   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:55:03.7580 6584 21  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:55:33.7763 6584 23  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:56:03.7905 6584 24  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:56:33.8028 6584 24  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:57:03.8186 6584 7   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:57:33.8270 6584 23  Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:58:03.9328 6584 5   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:58:33.9376 6584 5   Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
   at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
   at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
   at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
2020-07-29 08:58:43.8995 6584 18  Debug [DirectoryServicesResolver] Domain controller [DnsName=dc.windomain.local IsReadOnly=False IpAddresses=192.168.38.102]
2020-07-29 08:59:03.9653 6584 21  Info  [WindowsEventLogReader] Event log watcher for Security is enabled
2020-07-29 08:59:03.9809 6584 21  Info  [WindowsEventLogReader] Event log watcher for System is enabled
2020-07-29 09:08:43.9392 6584 22  Debug [DirectoryServicesResolver] Domain controller [DnsName=dc.windomain.local IsReadOnly=False IpAddresses=192.168.38.102]

[Mirabis]

Removing the ATA installation from the DC, rebooting and triggering 'install-microsoft-ata.ps1' from the wef machine gives the following:

Manually downloading it and copying commands out of the .PS1 I get the following:

Waiting a while for it to start I continued with the remainder of the commands on WEF:

Seems like a SSL validation issue so I checked the rest of the code and tried to re-add the 'SSLValidator'

After this and a little debugging I located a different PowerShell snippet to disable the CertificatePolicy (instead of the ServerCertificateValidationCallback) and was able to get it working:

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

The UI also shows the correct information now:

Unfortunately all those steps still did not fix the initial issue. The Gateway logs are full of errors related to access rights: " System.UnauthorizedAccessException: Attempted to perform an unauthorized operation."

[clong]

I seem to be unable to reproduce this. I just spun up the lab in Azure and did the following:

Logged into ATA, everything looks OK

From win10, ran nslookup, then ls -d windomain.local Also did a dcsync via:

c:\tools\mimikatz\x64\mimikatz.exe
lsadump::dcsync /domain:windomain.local /user:krbtgt

Let me dig through the logs you've attached and see if anything sticks out

[clong]

For what it's worth, I have a bunch of those "Attempted to perform an unauthorized operation." errors and everything seems to be working fine. If you get a chance to spin this up in Azure again, I would be really curious to see if you run into the same issue or if it was intermittent.

It looks like that log is likely related to ATA trying to read an eventlog channel that it doesn't have permission to access.

[Mirabis]

I will spin up a new environment later today to check and report back.

[Mirabis]

I pulled all changes in today and re-ran the entire Terraform/Ansible deployment. This time it correctly added both machines to the Domain and the Advanced Threat Protection installation was completed without manual intervention. However:

• Licensing volume is an issue but I now added a Dev license to fix that;
• Splunk populates Logger dashboard events fine after performing activities;
• Microsoft ATA still empty (tried exact same as you did above as well)
• ThreatHunter dashboard stays empty
• Tried BadBlood to see if stats update, it shows new group/user stats but no detections still.

What data/info would you need to assist?

--------------- EDIT

It took a long while .. 5-10 min between performing the activity to showing up in the dashboard.

[clong]

Yeah, there's definitely a delay with ATA - not sure how to troubleshoot that, I'm guessing it's primarily due to the low RAM/CPU on the DC backing the lightweight gateway. I don't think there's a workaround other than to give it a beefier box.

Re: the other issues:

Licensing volume is an issue but I now added a Dev license to fix that;

I'll open an issue to try to keep indexing under 500mb per day and see if there's more noise I can cut down to prevent license violations.

ThreatHunter dashboard stays empty

I noticed this recently as well. Will open an issue for this.

Tried BadBlood to see if stats update, it shows new group/user stats but no detections still.

I don't think there would be detections for adding a bunch of new users and groups to the domain. What type of detections are you expecting to see from running BadBlood?

[clong]

I'm going to close this issue because I think the problem being described in it has been resolved and may have been intermittent.

I've opened up the following new issues based on your most recent comment:

501 - Keep daily Splunk ingest below 500mb to prevent trial license violations

502 - Threathunting index is empty

Thanks for reporting these and feel free to open any new issues you come across!

[Mirabis]

Yeah, there's definitely a delay with ATA - not sure how to troubleshoot that, I'm guessing it's primarily due to the low RAM/CPU on the DC backing the lightweight gateway. I don't think there's a workaround other than to give it a beefier box.

Re: the other issues:

Licensing volume is an issue but I now added a Dev license to fix that;

I'll open an issue to try to keep indexing under 500mb per day and see if there's more noise I can cut down to prevent license violations.

ThreatHunter dashboard stays empty

I noticed this recently as well. Will open an issue for this.

Tried BadBlood to see if stats update, it shows new group/user stats but no detections still.

I don't think there would be detections for adding a bunch of new users and groups to the domain. What type of detections are you expecting to see from running BadBlood?

I'm aware I'm responding to a closed ticket but: I was not expecting detections from BadBlood. I was just checking whether it would show the updates in User, Group, Computer counts as a way to confirm the stats do update. If they did not update it was just not receiving any info > if they did update it was just not receiving any malicious activity notifications from earlier actions (dcsync, dump, cobaltstrike beacons etc.).

[clong]

Ah, I see what you're saying - the ATA console doesn't show the additional users? I wonder if maybe it doesn't count them unless they get logged into?

[Mirabis]

Ah no, it did show the new updated count for users, groups and computers. That was my way of confirming it does receive information from the gateway. So from that point on I was more focused on why it did not show any detections as a second debugging step.