diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml
index c261903452e..47a6d10a1f8 100644
--- a/ASIM/schemas/ASimFileEvent.yaml
+++ b/ASIM/schemas/ASimFileEvent.yaml
@@ -1,6 +1,6 @@
Schema:
Schema: FileEvent
- Version: '0.2.2'
+ Version: '0.2.3'
Last Updated: Sept 12 2023
References:
- Title: ASIM File Event Schema
@@ -183,9 +183,9 @@ Fields:
- Name: Hash
Type: string
- Class: Conditional
+ Class: Alias
Description: Alias to the best available Target File hash.
- Follows: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
+ Aliases: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
- Name: HashType
Class: Conditional
diff --git a/ASIM/schemas/ASimProcessEvent.yaml b/ASIM/schemas/ASimProcessEvent.yaml
index e1f791ec06a..8ccb4cdfe93 100644
--- a/ASIM/schemas/ASimProcessEvent.yaml
+++ b/ASIM/schemas/ASimProcessEvent.yaml
@@ -1,6 +1,6 @@
Schema:
Schema: ProcessEvent
- Version: '0.1.4'
+ Version: '0.1.5'
Last Updated: Mar 06, 2023
References:
- Title: ASIM Process Event Schema
@@ -17,6 +17,8 @@ Include:
# Common fields
- Name: Event Fields
File: common/ASimEventFields.yaml
+- Name: Inspection fields
+ File: common/ASimInspectionFields.yaml
# Entities
- Name: Dvc
diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
index b1ce1681144..53a2b63de9d 100644
--- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
+++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
@@ -73,7 +73,6 @@ ParserParams:
- Name: pack
Type: bool
Default: false
-
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
new file mode 100644
index 00000000000..0f812cc8625
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
@@ -0,0 +1,39 @@
+Parser:
+ Title: User Management ASIM parser
+ Version: '0.1.0'
+ LastUpdated: 16 Jul, 2023
+Product:
+ Name: Source agnostic
+Normalization:
+ Schema: UserManagement
+ Version: '0.1'
+References:
+- Title: ASIM UserManagement Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema.
+ParserName: ASimUserManagement
+EquivalentBuiltInParser: _ASim_UserManagement
+Parsers:
+ - _Im_UserManagement_Empty
+ - _ASim_UserManagement_MicrosoftSecurityEvent
+ParserParams:
+ - Name: pack
+ Type: bool
+ Default: false
+ParserQuery: |
+ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
+ let ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
+ let parser=(
+ pack:bool=false
+ ){
+ union isfuzzy=true
+ vimUserManagementEmpty,
+ ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
+ ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers)))
+ };
+ parser (
+ pack=pack
+ )
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml
new file mode 100644
index 00000000000..e12186b78d5
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml
@@ -0,0 +1,252 @@
+Parser:
+ Title: User Management ASIM parser for Microsoft Security Event logs
+ Version: '0.1.0'
+ LastUpdated: 16 Jul, 2023
+Product:
+ Name: Microsoft
+Normalization:
+ Schema: UserManagement
+ Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https:/aka.ms/AboutASIM
+- Title: Audit User Account Management
+ Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
+Description: |
+ This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema.
+ParserName: ASimUserManagementMicrosoftSecurityEvent
+EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent
+ParserParams:
+ - Name: disabled
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ disabled:bool = false
+ ) {
+ let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)
+ [
+ "4720", "UserCreated", "UserCreated", "",
+ "4722", "UserEnabled", "UserModified", "",
+ "4723", "PasswordChanged", "UserModified", "",
+ "4724", "PasswordReset", "UserModified", "",
+ "4725", "UserDisabled", "UserModified", "",
+ "4726", "UserDeleted", "UserModified", "",
+ "4727", "GroupCreated", "GroupCreated", "Global Security Enabled",
+ "4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled",
+ "4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled",
+ "4730", "GroupDeleted", "GroupModified", "Global Security Enabled",
+ "4731", "GroupCreated", "GroupCreated", "Local Security Enabled",
+ "4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled",
+ "4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled",
+ "4734", "GroupDeleted", "GroupModified", "Local Security Enabled",
+ "4738", "UserModified", "UserModified", "",
+ "4740", "UserLocked", "UserModified", "",
+ "4744", "GroupCreated", "GroupCreated", "Local Distribution",
+ "4748", "GroupDeleted", "GroupModified", "Local Distribution",
+ "4749", "GroupCreated", "GroupCreated", "Global Distribution",
+ "4753", "GroupDeleted", "GroupModified", "Global Distribution",
+ "4754", "GroupCreated", "GroupCreated", "Universal Security Enabled",
+ "4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled",
+ "4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled",
+ "4758", "GroupDeleted", "GroupModified", "Universal Security Enabled",
+ "4759", "GroupCreated", "GroupCreated", "Universal Distribution",
+ "4763", "GroupDeleted", "GroupModified", "Universal Distribution",
+ "4767", "UserLocked", "UserModified", "",
+ "4781", "UserModified", "UserModified", ""
+ ];
+ let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)
+ [
+ 'User', 'Regular',
+ 'Machine', 'Machine'
+ ];
+ let UserEventID = toscalar(
+ EventIDLookup
+ | where not(disabled)
+ | where EventSubType in("UserCreated","UserModified")
+ | summarize make_set(EventID)
+ );
+ let GroupEventID = toscalar(
+ EventIDLookup
+ | where not(disabled)
+ | where EventSubType in("GroupCreated","GroupModified")
+ | summarize make_set(EventID)
+ );
+ union (
+ WindowsEvent
+ | where not(disabled)
+ | where EventID in(UserEventID)
+ | extend
+ ActorOriginalUserType = tostring(EventData.AccountType),
+ ActorSessionId = tostring(EventData.SubjectLogonId),
+ ActorUserId = tostring(EventData.SubjectUserSid),
+ NewTargetUserName = tostring(EventData.NewTargetUserName),
+ OldTargetUserName = tostring(EventData.OldTargetUserName),
+ SubjectDomainName = tostring(EventData.SubjectDomainName),
+ SubjectUserName = tostring(EventData.SubjectUserName),
+ TargetDomain = tostring(EventData.TargetDomainName),
+ TargetUserId = tostring(EventData.TargetSid),
+ TargetUsername = tostring(EventData.TargetUserName),
+ EventMessage = tostring(EventData.Activity)
+ | project-rename
+ NewPropertyValue = NewTargetUserName,
+ PreviousPropertyValue = OldTargetUserName
+ | extend
+ TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage
+ | extend
+ TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
+ TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where EventID in(UserEventID)
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ TargetDomain = TargetDomainName,
+ TargetUserId = TargetSid,
+ TargetUsername = TargetUserName,
+ EventMessage = Activity
+ | parse-kv EventData as
+ (
+ OldTargetUserName:string,
+ NewTargetUserName:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | project-rename
+ NewPropertyValue = NewTargetUserName,
+ PreviousPropertyValue = OldTargetUserName
+ | extend
+ TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage
+ | extend
+ TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
+ TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
+ ),(
+ WindowsEvent
+ | where not(disabled)
+ | where EventID in(GroupEventID)
+ | extend
+ ActorOriginalUserType = tostring(EventData.AccountType),
+ ActorSessionId = tostring(EventData.SubjectLogonId),
+ ActorUserId = tostring(EventData.SubjectUserSid),
+ GroupDomain = tostring(EventData.TargetDomainName),
+ GroupId = tostring(EventData.TargetSid),
+ GroupName = tostring(EventData.TargetUserName),
+ MemberName = tostring(EventData.MemberName),
+ MemberSid = tostring(EventData.MemberSid),
+ NewTargetUserName = tostring(EventData.NewTargetUserName),
+ OldTargetUserName = tostring(EventData.OldTargetUserName),
+ SubjectDomainName = tostring(EventData.SubjectDomainName),
+ SubjectUserName = tostring(EventData.SubjectUserName),
+ EventMessage = tostring(EventData.Activity)
+ | extend
+ GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)),
+ TargetUserId = MemberSid,
+ TargetUsername = MemberName
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))
+ | where EventID in(GroupEventID)
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ GroupDomain = TargetDomainName,
+ GroupId = TargetSid,
+ GroupName = TargetUserName,
+ EventMessage = Activity
+ | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
+ | parse-kv EventData as
+ (
+ MemberName:string,
+ MemberSid:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | project-rename
+ TargetUsername = MemberName,
+ TargetUserId = MemberSid
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)
+ | parse-kv EventData as
+ (
+ TargetUserName:string,
+ TargetDomainName:string,
+ TargetSid:string,
+ SubjectUserSid:string,
+ AccountType:string,
+ SubjectLogonId:string,
+ SubjectDomainName:string,
+ SubjectUserName:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ GroupDomain = TargetDomainName,
+ GroupId = TargetSid,
+ GroupName = TargetUserName,
+ EventMessage = Activity
+ | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
+ | parse-kv EventData as
+ (
+ MemberName:string,
+ MemberSid:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | project-rename
+ TargetUserId = MemberSid,
+ TargetUsername = MemberName
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ )
+ | lookup EventIDLookup on EventID
+ | extend UpdatedPropertyName = EventSubType
+ | invoke _ASIM_ResolveDvcFQDN ("Computer")
+ | lookup UserTypeLookup on ActorOriginalUserType
+ | extend
+ DvcId = coalesce(_ResourceId, SourceComputerId),
+ EventOriginalType = tostring(EventID)
+ | project-rename
+ EventUid = _ItemId
+ | extend
+ ActorDomain = SubjectDomainName,
+ DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""),
+ ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)),
+ Dvc = DvcHostname,
+ DvcOs = "Windows",
+ EventCount = int(1),
+ EventEndTime = TimeGenerated,
+ EventProduct = 'Security Events',
+ EventResult = "Success",
+ EventSchema = "UserManagement",
+ EventSchemaVersion = "0.1.1",
+ EventSeverity = "Informational",
+ EventStartTime = TimeGenerated,
+ EventVendor = 'Microsoft',
+ Hostname = DvcHostname
+ | project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID
+ | extend
+ ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+ ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
+ GroupNameType = _ASIM_GetUsernameType(GroupName),
+ TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+ TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),
+ User = ActorUsername
+ };
+ parser (disabled=disabled)
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
new file mode 100644
index 00000000000..142878b70c9
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
@@ -0,0 +1,72 @@
+Parser:
+ Title: User Management ASIM filtering parser
+ Version: '0.1.0'
+ LastUpdated: 16 Jul, 2023
+Product:
+ Name: Source agnostic
+Normalization:
+ Schema: UserManagement
+ Version: '0.1'
+References:
+- Title: ASIM UserManagement Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema.
+ParserName: imUserManagement
+EquivalentBuiltInParser: _Im_UserManagement
+Parsers:
+ - _Im_UserManagement_Empty
+ - _Im_UserManagement_MicrosoftSecurityEvent
+ParserParams:
+ - Name: starttime
+ Type: datetime
+ Default: datetime(null)
+ - Name: endtime
+ Type: datetime
+ Default: datetime(null)
+ - Name: targetusername_has
+ Type: string
+ Default: '*'
+ - Name: actorusername_has
+ Type: string
+ Default: '*'
+ - Name: targetdomain_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: anydomain_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: pack
+ Type: bool
+ Default: false
+ParserQuery: |
+ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
+ let ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
+ let parser=(
+ starttime:datetime=datetime(null),
+ endtime:datetime=datetime(null),
+ targetusername_has:string="*",
+ actorusername_has:string="",
+ targetdomain_has_any:dynamic=dynamic([]),
+ anydomain_has_any:dynamic=dynamic([]),
+ pack:bool=false)
+ {
+ union isfuzzy=true
+ vimUserManagementEmpty,
+ vimUserManagementMicrosoftSecurityEvent(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),
+ vimUserManagementCiscoISE(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) ))
+ };
+ parser (
+ starttime=starttime,
+ endtime=endtime,
+ targetusername_has=targetusername_has,
+ actorusername_has=actorusername_has,
+ targetdomain_has_any=targetdomain_has_any,
+ anydomain_has_any=anydomain_has_any,
+ hostname_has_any=hostname_has_any,
+ dvcaction=dvcaction,
+ eventresult=eventresult,
+ pack=pack
+ )
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml
new file mode 100644
index 00000000000..5fc49692299
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml
@@ -0,0 +1,111 @@
+Parser:
+ Title: User Management ASIM schema function
+ Version: '0.1.0'
+ LastUpdated: 17 Jul2023
+Product:
+ Name: Source Agnostic
+Normalization:
+ Schema: UserManagement
+ Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https:/aka.ms/AboutASIM
+Description: |
+ This function returns an empty ASIM UserManagement schema
+ParserName: vimUserManagementEmpty
+EquivalentBuiltInParser: _Im_UserManagement_Empty
+ParserQuery: |
+ let parser=datatable(
+ TimeGenerated:datetime,
+ _ResourceId:string,
+ Type:string,
+ ActorUsername:string, // Mandatory
+ ActorUsernameType:string, // Mandatory
+ Dvc:string, // Mandatory
+ EventCount:int, // Mandatory
+ EventEndTime:datetime, // Mandatory
+ EventProduct:string, // Mandatory
+ EventResult:string, // Mandatory
+ EventSchema:string, // Mandatory
+ EventSchemaVersion:string, // Mandatory
+ EventSeverity:string, // Mandatory
+ EventStartTime:datetime, // Mandatory
+ EventType:string, // Mandatory
+ EventVendor:string, // Mandatory
+ DvcAction:string, // Recommended
+ DvcDomain:string, // Recommended
+ DvcDomainType:string, // Recommended
+ DvcFQDN:string, // Recommended
+ DvcHostname:string, // Recommended
+ DvcId:string, // Recommended
+ DvcIdType:string, // Recommended
+ DvcIpAddr:string, // Recommended
+ EventResultDetails:string, // Recommended
+ EventUid:string, // Recommended
+ Src:string, // Recommended
+ SrcDomain:string, // Recommended
+ SrcDomainType:string, // Recommended
+ SrcHostname:string, // Recommended
+ SrcIpAddr:string, // Recommended
+ ActingAppId:string, // Optional
+ ActingAppType:string, // Optional
+ ActiveAppName:string, // Optional
+ ActorOriginalUserType:string, // Optional
+ ActorSessionId:string, // Optional
+ ActorUserId:string, // Optional
+ ActorUserIdType:string, // Optional
+ ActorUserType:string, // Optional
+ AdditionalFields:dynamic, // Optional
+ DvcDescription:string, // Optional
+ DvcInterface:string, // Optional
+ DvcMacAddr:string, // Optional
+ DvcOriginalAction:string, // Optional
+ DvcOs:string, // Optional
+ DvcOsVersion:string, // Optional
+ DvcScope:string, // Optional
+ DvcScopeId:string, // Optional
+ DvcZone:string, // Optional
+ EventMessage:string, // Optional
+ EventOriginalResultDetails:string, // Optional
+ EventOriginalSeverity:string, // Optional
+ EventOriginalSubType:string, // Optional
+ EventOriginalType:string, // Optional
+ EventOriginalUid:string, // Optional
+ EventOwner:string, // Optional
+ EventProductVersion:string, // Optional
+ EventReportUrl:string, // Optional
+ EventSubType:string, // Optional
+ GroupId:string, // Optional
+ GroupIdType:string, // Optional
+ GroupName:string, // Optional
+ GroupNameType:string, // Optional
+ GroupOriginalType:string, // Optional
+ GroupType:string, // Optional
+ HttpUserAgent:string, // Optional
+ NewPropertyValue:string, // Optional
+ PreviousPropertyValue:string, // Optional
+ SrcDeviceType:string, // Optional
+ SrcDvcId:string, // Optional
+ SrcDvcIdType:string, // Optional
+ SrcDvcScope:string, // Optional
+ SrcDvcScopeId:string, // Optional
+ SrcFQDN:string, // Optional
+ SrcGeoCity:string, // Optional
+ SrcGeoCountry:string, // Optional
+ SrcGeoLatitude:string, // Optional
+ SrcGeoLongitude:string, // Optional
+ SrcGeoRegion:string, // Optional
+ TargetOriginalUserType:string, // Optional
+ TargetUserId:string, // Optional
+ TargetUserIdType:string, // Optional
+ TargetUsername:string, // Optional
+ TargetUsernameType:string, // Optional
+ TargetUserType:string, // Optional
+ Hostname:string, // Alias
+ IpAddr:string, // Alias
+ UpdatedPropertyName:string, // Alias
+ User:string // Alias
+ )[];
+ parser
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
new file mode 100644
index 00000000000..d66c022d0a1
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
@@ -0,0 +1,328 @@
+Parser:
+ Title: User Management ASIM parser for Microsoft Security Event logs
+ Version: '0.1.0'
+ LastUpdated: 16 Jul, 2023
+Product:
+ Name: Microsoft
+Normalization:
+ Schema: UserManagement
+ Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https:/aka.ms/AboutASIM
+- Title: Audit User Account Management
+ Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
+Description: |
+ This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema.
+ParserName: ASimUserManagementMicrosoftSecurityEvent
+EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent
+ParserParams:
+ - Name: starttime
+ Type: datetime
+ Default: datetime(null)
+ - Name: endtime
+ Type: datetime
+ Default: datetime(null)
+ - Name: targetusername_has
+ Type: string
+ Default: '*'
+ - Name: actorusername_has
+ Type: string
+ Default: '*'
+ - Name: targetdomain_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: anydomain_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: disabled
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ starttime:datetime=datetime(null),
+ endtime:datetime=datetime(null),
+ targetusername_has:string="*",
+ actorusername_has:string="",
+ targetdomain_has_any:dynamic=dynamic([]),
+ anydomain_has_any:dynamic=dynamic([]),
+ disabled:bool=false
+ ) {
+ let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)
+ [
+ "4720", "UserCreated", "UserCreated", "",
+ "4722", "UserEnabled", "UserModified", "",
+ "4723", "PasswordChanged", "UserModified", "",
+ "4724", "PasswordReset", "UserModified", "",
+ "4725", "UserDisabled", "UserModified", "",
+ "4726", "UserDeleted", "UserModified", "",
+ "4727", "GroupCreated", "GroupCreated", "Global Security Enabled",
+ "4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled",
+ "4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled",
+ "4730", "GroupDeleted", "GroupModified", "Global Security Enabled",
+ "4731", "GroupCreated", "GroupCreated", "Local Security Enabled",
+ "4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled",
+ "4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled",
+ "4734", "GroupDeleted", "GroupModified", "Local Security Enabled",
+ "4738", "UserModified", "UserModified", "",
+ "4740", "UserLocked", "UserModified", "",
+ "4744", "GroupCreated", "GroupCreated", "Local Distribution",
+ "4748", "GroupDeleted", "GroupModified", "Local Distribution",
+ "4749", "GroupCreated", "GroupCreated", "Global Distribution",
+ "4753", "GroupDeleted", "GroupModified", "Global Distribution",
+ "4754", "GroupCreated", "GroupCreated", "Universal Security Enabled",
+ "4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled",
+ "4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled",
+ "4758", "GroupDeleted", "GroupModified", "Universal Security Enabled",
+ "4759", "GroupCreated", "GroupCreated", "Universal Distribution",
+ "4763", "GroupDeleted", "GroupModified", "Universal Distribution",
+ "4767", "UserLocked", "UserModified", "",
+ "4781", "UserModified", "UserModified", ""
+ ];
+ let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)
+ [
+ 'Machine', 'Machine',
+ 'User', 'Regular'
+ ];
+ let UserEventID = toscalar(
+ EventIDLookup
+ | where not(disabled)
+ | where EventSubType in("UserCreated","UserModified")
+ | summarize make_set(EventID)
+ );
+ let GroupEventID = toscalar(
+ EventIDLookup
+ | where not(disabled)
+ | where EventSubType in("GroupCreated","GroupModified")
+ | summarize make_set(EventID)
+ );
+ union (
+ WindowsEvent
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ | where EventID in(UserEventID)
+ | where (targetusername_has=='*' or (EventData has targetusername_has)) and
+ (actorusername_has=='*' or (EventData has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
+ | extend
+ ActorOriginalUserType = tostring(EventData.AccountType),
+ ActorSessionId = tostring(EventData.SubjectLogonId),
+ ActorUserId = tostring(EventData.SubjectUserSid),
+ NewTargetUserName = tostring(EventData.NewTargetUserName),
+ OldTargetUserName = tostring(EventData.OldTargetUserName),
+ SubjectDomainName = tostring(EventData.SubjectDomainName),
+ SubjectUserName = tostring(EventData.SubjectUserName),
+ TargetDomain = tostring(EventData.TargetDomainName),
+ TargetUserId = tostring(EventData.TargetSid),
+ TargetUsername = tostring(EventData.TargetUserName),
+ EventMessage = tostring(EventData.Activity)
+ | where (targetusername_has=='*' or (TargetUsername has targetusername_has)) and
+ (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (TargetDomain has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (TargetDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
+ | project-rename
+ NewPropertyValue = NewTargetUserName,
+ PreviousPropertyValue = OldTargetUserName
+ | extend
+ TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage
+ | extend
+ TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
+ TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ | where EventID in(UserEventID)
+ | where (targetusername_has=='*' or (TargetUserName has targetusername_has)) and
+ (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ TargetDomain = TargetDomainName,
+ TargetUserId = TargetSid,
+ TargetUsername = TargetUserName,
+ EventMessage = Activity
+ | parse-kv EventData as
+ (
+ OldTargetUserName:string,
+ NewTargetUserName:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | project-rename
+ NewPropertyValue = NewTargetUserName,
+ PreviousPropertyValue = OldTargetUserName
+ | extend
+ TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage
+ | extend
+ TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
+ TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
+ ),(
+ WindowsEvent
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ | where EventID in(GroupEventID)
+ | where (targetusername_has=='*' or (EventData has targetusername_has)) and
+ (actorusername_has=='*' or (EventData has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
+ | extend
+ ActorOriginalUserType = tostring(EventData.AccountType),
+ ActorSessionId = tostring(EventData.SubjectLogonId),
+ ActorUserId = tostring(EventData.SubjectUserSid),
+ GroupDomain = tostring(EventData.TargetDomainName),
+ GroupId = tostring(EventData.TargetSid),
+ GroupName = tostring(EventData.TargetUserName),
+ MemberName = tostring(EventData.MemberName),
+ MemberSid = tostring(EventData.MemberSid),
+ NewTargetUserName = tostring(EventData.NewTargetUserName),
+ OldTargetUserName = tostring(EventData.OldTargetUserName),
+ SubjectDomainName = tostring(EventData.SubjectDomainName),
+ SubjectUserName = tostring(EventData.SubjectUserName),
+ EventMessage = tostring(EventData.Activity)
+ | where (targetusername_has=='*' or (NewTargetUserName has targetusername_has) or (OldTargetUserName has targetusername_has) or (MemberName has targetusername_has)) and
+ (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (GroupDomain has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (GroupDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
+ | extend
+ GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)),
+ TargetUserId = MemberSid,
+ TargetUsername = MemberName
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))
+ | where EventID in(GroupEventID)
+ | where (targetusername_has=='*' or (EventData has targetusername_has)) and
+ (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ GroupDomain = TargetDomainName,
+ GroupId = TargetSid,
+ GroupName = TargetUserName,
+ EventMessage = Activity
+ | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
+ | parse-kv EventData as
+ (
+ MemberName:string,
+ MemberSid:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | where (targetusername_has=='*' or (MemberName has targetusername_has))
+ | project-rename
+ TargetUserId = MemberSid,
+ TargetUsername = MemberName
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ ),(
+ SecurityEvent
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)
+ | where (targetusername_has=='*' or (EventData has targetusername_has)) and
+ (actorusername_has=='*' or (EventData has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
+ | parse-kv EventData as
+ (
+ TargetUserName:string,
+ TargetDomainName:string,
+ TargetSid:string,
+ SubjectUserSid:string,
+ AccountType:string,
+ SubjectLogonId:string,
+ SubjectDomainName:string,
+ SubjectUserName:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | where (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
+ (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
+ (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
+ | project-rename
+ ActorOriginalUserType = AccountType,
+ ActorSessionId = SubjectLogonId,
+ ActorUserId = SubjectUserSid,
+ GroupDomain = TargetDomainName,
+ GroupId = TargetSid,
+ GroupName = TargetUserName,
+ EventMessage = Activity
+ | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
+ | parse-kv EventData as
+ (
+ MemberName:string,
+ MemberSid:string
+ )
+ with (regex=@'{?([^<]*?)}?')
+ | where (targetusername_has=='*' or (MemberName has targetusername_has))
+ | project-rename
+ TargetUserId = MemberSid,
+ TargetUsername = MemberName
+ | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
+ | extend
+ GroupIdType = iif(isnotempty(GroupId), "SID","")
+ )
+ | lookup EventIDLookup on EventID
+ | extend UpdatedPropertyName = EventSubType
+ | invoke _ASIM_ResolveDvcFQDN ("Computer")
+ | lookup UserTypeLookup on ActorOriginalUserType
+ | extend
+ DvcId = coalesce(_ResourceId, SourceComputerId),
+ EventOriginalType = tostring(EventID)
+ | project-rename
+ EventUid = _ItemId
+ | extend
+ ActorDomain = SubjectDomainName,
+ ActorUserIdType = iif(isnotempty(ActorUserId), "SID",""),
+ ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)),
+ Dvc = DvcHostname,
+ DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""),
+ DvcOs = "Windows",
+ EventCount = int(1),
+ EventEndTime = TimeGenerated,
+ EventProduct = 'Security Events',
+ EventResult = "Success",
+ EventSchema = "UserManagement",
+ EventSchemaVersion = "0.1.1",
+ EventSeverity = "Informational",
+ EventStartTime = TimeGenerated,
+ EventVendor = 'Microsoft',
+ Hostname = DvcHostname
+ | project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID
+ | extend
+ ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+ ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
+ GroupNameType = _ASIM_GetUsernameType(GroupName),
+ TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+ TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),
+ User = ActorUsername
+ };
+ parser (
+ starttime = starttime,
+ endtime = endtime,
+ targetusername_has = targetusername_has,
+ actorusername_has = actorusername_has,
+ targetdomain_has = targetdomain_has,
+ anydomain_has = anydomain_has,
+ disabled=disabled
+ )
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/README.md b/Parsers/ASimUserManagement/README.md
new file mode 100644
index 00000000000..7ab17039b52
--- /dev/null
+++ b/Parsers/ASimUserManagement/README.md
@@ -0,0 +1,17 @@
+# Advanced Security Information Model (ASIM) UserManagement parsers
+
+This template deploys all ASIM UserManagement parsers.
+
+The Advanced Security Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc)
+
+
+
+[](https://aka.ms/ASimUserManagementARM) [](https://aka.ms/ASimUserManagementARMgov)
+
+
\ No newline at end of file
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_1.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_1.png
new file mode 100644
index 00000000000..7f7e9b0484a
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_1.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_2.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_2.png
new file mode 100644
index 00000000000..a9a4ebedbce
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_2.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_3.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_3.png
new file mode 100644
index 00000000000..00ad6caabfe
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_3.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_4.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_4.png
new file mode 100644
index 00000000000..b1bcace7c4d
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Add_Contributor_Role_4.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Demo_1.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Demo_1.png
new file mode 100644
index 00000000000..9a102b40bc7
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Demo_1.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_1.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_1.png
new file mode 100644
index 00000000000..6247dc3d03d
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_1.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_2.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_2.png
new file mode 100644
index 00000000000..9d923b95a6e
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_2.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_3.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_3.png
new file mode 100644
index 00000000000..4fa23a03ac4
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_3.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_4.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_4.png
new file mode 100644
index 00000000000..ef53a245e28
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_4.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_5.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_5.png
new file mode 100644
index 00000000000..d7b0dc71639
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_5.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_6.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_6.png
new file mode 100644
index 00000000000..25e58fc3962
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Deploy_6.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Sentinel_Workspace_1.png b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Sentinel_Workspace_1.png
new file mode 100644
index 00000000000..2db6c2e8bbf
Binary files /dev/null and b/Playbooks/AS-Recurring-Host-Entity/Images/RecurringHostEntity_Sentinel_Workspace_1.png differ
diff --git a/Playbooks/AS-Recurring-Host-Entity/README.md b/Playbooks/AS-Recurring-Host-Entity/README.md
new file mode 100644
index 00000000000..3ac6877e837
--- /dev/null
+++ b/Playbooks/AS-Recurring-Host-Entity/README.md
@@ -0,0 +1,103 @@
+# AS-Recurring-Host-Entity
+
+Author: Accelerynt
+
+For any technical questions, please contact info@accelerynt.com
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Recurring-Host-Entity%2Fmain%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Recurring-Host-Entity%2Fmain%2Fazuredeploy.json)
+
+This playbook is intended to be run from a Microsoft Sentinel Incident. It will take the Hosts from the Incident entities list and search the Microsoft Sentinel SecurityAlert logs for other entities containing the same Hosts. A comment noting the alerts the Hosts have previously appeared in will be added to the Incident.
+
+
+
+
+#
+### Requirements
+
+The following items are required under the template settings during deployment:
+
+* The [Microsoft Sentinel Workspace Name](https://github.com/Accelerynt-Security/AS-Recurring-Host-Entity#microsoft-sentinel-workspace-name) your SecurityAlert logs will be pulled from.
+
+#
+### Setup
+
+#### Microsoft Sentinel Workspace Name:
+
+Navigate to the Microsoft Sentinel page and take note of the Resource/Workspace name this Logic App will be deployed to:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel
+
+
+
+#
+### Deployment
+
+To configure and deploy this playbook:
+
+Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:
+
+https://github.com/Accelerynt-Security/AS-Recurring-Host-Entity
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Recurring-Host-Entity%2Fmain%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAccelerynt-Security%2FAS-Recurring-Host-Entity%2Fmain%2Fazuredeploy.json)
+
+Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template.
+
+In the **Project Details** section:
+
+* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to.
+
+In the **Instance Details** section:
+
+* **Playbook Name**: This can be left as "**AS-Recurring-Host-Entity**" or you may change it.
+
+* **Sentinel Resource Name**: Enter the name of the Sentinel Resource/Workspace name noted in [Microsoft Sentinel Workspace Name](https://github.com/Accelerynt-Security/AS-Recurring-Host-Entity#microsoft-sentinel-workspace-name)
+
+Towards the bottom, click on "**Review + create**".
+
+
+
+Once the resources have validated, click on "**Create**".
+
+
+
+The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them.
+Click the one corresponding to the Logic App.
+
+
+
+Click on the “**Edit**” button. This will bring you into the Logic Apps Designer.
+
+
+
+Before the playbook can be run successfully, the "**azuremonitorlogs**" connection used in the first for each loop needs to be authorized, or an existing authorized connection may be alternatively selected. To validate the "**azuremonitorlogs**" connection, expand the first step in the for each loop labeled "**Connections**" and click the exclamation point icon next to the name matching the playbook.
+
+
+
+Select "**Logic Apps Managed Identity**" for the "**Authentication Type**", then click "**Create**".
+
+
+
+#
+### Microsoft Sentinel Contributor Role
+
+After deployment, you will need to give the system assigned managed identity the "**Microsoft Sentinel Contributor**" role. This will enable the Logic App to add comments to Incidents. Navigate to the Log Analytics Workspaces page and select the same workspace the playbook is located in:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces
+
+Select the "**Access control (IAM)**" option from the menu blade, then click "**Add role assignment**".
+
+
+
+Select the "**Microsoft Sentinel Contributor**" role, then click "**Next**".
+
+
+
+Select the "**Managed identity**" option, then click "**Select Members**". Under the subscription the Logic App is located, set the value of "**Managed identity**" to "**Logic app**". Next, enter "**AS-Recurring-Host-Entity**", or the alternative playbook name used during deployment, in the field labeled "**Select**". Select the playbook, then click "**Select**".
+
+
+
+Continue on to the "**Review + assign**" tab and click "**Review + assign**".
+
+
\ No newline at end of file
diff --git a/Playbooks/AS-Recurring-Host-Entity/azuredeploy.json b/Playbooks/AS-Recurring-Host-Entity/azuredeploy.json
new file mode 100644
index 00000000000..e9dbad72a43
--- /dev/null
+++ b/Playbooks/AS-Recurring-Host-Entity/azuredeploy.json
@@ -0,0 +1,301 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "AS-Recurring-Host-Entity",
+ "description": "This playbook is intended to be run from a Microsoft Sentinel Incident. It will take the Hosts from the Incident entities list and search the Microsoft Sentinel SecurityAlert logs for other entities containing the same Hosts. A comment noting the Alerts the Hosts appear in, and their occurrence count, will be added to the Incident.",
+ "postDeployment": ["The Microsoft Sentinel Contributor role must be applied to the playbook"],
+ "lastUpdateTime": "2023-09-08T16:21:43Z",
+ "entities": ["Host"],
+ "tags": ["Microsoft Sentinel", "Incident", "Log Analytics Workspace"],
+ "support": {
+ "tier": "partner"
+ },
+ "author": {
+ "name": "Accelerynt"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "AS-Recurring-Host-Entity",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Logic App resource to be created"
+ }
+ },
+ "SentinelResourceName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Microsoft Sentinel Workspace SecurityAlerts will be queried from"
+ }
+ }
+ },
+ "variables": {
+ "azuremonitorlogs": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]",
+ "azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('azuremonitorlogs')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "displayName": "[parameters('PlaybookName')]",
+ "customParameterValues": {},
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('azuresentinel')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[parameters('PlaybookName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[parameters('PlaybookName')]",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "LogicAppsCategory": "security"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('azuremonitorlogs'))]",
+ "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Condition": {
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Incident Hosts Appeared in Entities in the Last 7 Days
\n@{variables('Recurring Hosts')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ },
+ "runAfter": {},
+ "type": "ApiConnection"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@variables('Recurring Hosts')",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "runAfter": {
+ "For_each_-_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "If"
+ },
+ "Entities_-_Get_Hosts": {
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/host"
+ },
+ "runAfter": {},
+ "type": "ApiConnection"
+ },
+ "For_each_-_Hosts": {
+ "actions": {
+ "Condition_-_Query_has_results": {
+ "actions": {
+ "Append_to_string_variable_-_HTML_formatting": {
+ "inputs": {
+ "name": "Recurring Hosts",
+ "value": ""
+ },
+ "runAfter": {
+ "For_each_-_Related_Alert": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToStringVariable"
+ },
+ "Append_to_string_variable_-_Host_Name_Header": {
+ "inputs": {
+ "name": "Recurring Hosts",
+ "value": "\n@{items('For_each_-_Hosts')?['HostName']} appeared in the following Alerts:\n\n"
+ },
+ "runAfter": {},
+ "type": "AppendToStringVariable"
+ },
+ "For_each_-_Related_Alert": {
+ "actions": {
+ "Append_to_string_variable_-_Alert_Info": {
+ "inputs": {
+ "name": "Recurring Hosts",
+ "value": "- @{items('For_each_-_Related_Alert')?['AlertName']} -- @{items('For_each_-_Related_Alert')?['Count']} occurrences
"
+ },
+ "runAfter": {},
+ "type": "AppendToStringVariable"
+ }
+ },
+ "foreach": "@body('Run_query_and_list_results')?['value']",
+ "runAfter": {
+ "Append_to_string_variable_-_Host_Name_Header": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(body('Run_query_and_list_results')?['value'])",
+ 0
+ ]
+ }
+ ]
+ },
+ "runAfter": {
+ "Run_query_and_list_results": [
+ "Succeeded"
+ ]
+ },
+ "type": "If"
+ },
+ "Run_query_and_list_results": {
+ "inputs": {
+ "body": "SecurityAlert\n| where Entities has '@{items('For_each_-_Hosts')?['HostName']}'\n| summarize Count = count() by AlertName\n| order by Count desc",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/queryData",
+ "queries": {
+ "resourcegroups": "[resourceGroup().name]",
+ "resourcename": "[parameters('SentinelResourceName')]",
+ "resourcetype": "Log Analytics Workspace",
+ "subscriptions": "[subscription().subscriptionId]",
+ "timerange": "@{addDays(utcNow(), -7)}"
+ }
+ },
+ "runAfter": {},
+ "type": "ApiConnection"
+ }
+ },
+ "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
+ "runAfter": {
+ "Initialize_variable_-_Recurring_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ },
+ "type": "Foreach"
+ },
+ "Initialize_variable_-_Recurring_Hosts": {
+ "inputs": {
+ "variables": [
+ {
+ "name": "Recurring Hosts",
+ "type": "string"
+ }
+ ]
+ },
+ "runAfter": {
+ "Entities_-_Get_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable"
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuremonitorlogs": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuremonitorlogs'))]",
+ "connectionName": "[variables('azuremonitorlogs')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
+ },
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
+ "connectionName": "[variables('azuresentinel')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ ]
+}
diff --git a/Playbooks/AS-Sign-Out-Google-User/README.md b/Playbooks/AS-Sign-Out-Google-User/README.md
index 8d6cab59536..57d4373a92b 100644
--- a/Playbooks/AS-Sign-Out-Google-User/README.md
+++ b/Playbooks/AS-Sign-Out-Google-User/README.md
@@ -200,9 +200,9 @@ Once the deployment is complete, the Function can be accessed from your Azure te
To configure and deploy this playbook:
-Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security Google Repository:
+Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:
-https://Google.com/Accelerynt-Security/AS-Sign-Out-Google-User
+https://github.com/Accelerynt-Security/AS-Sign-Out-Google-User
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json)
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json)
diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv
new file mode 100644
index 00000000000..248da52e6d4
--- /dev/null
+++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv
@@ -0,0 +1,1100 @@
+TenantId,"TimeGenerated [UTC]",SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,SourceComputerId,EventOriginId,MG,"TimeCollected [UTC]",ManagementGroupName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationPackageName,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,InterfaceUuid,IpAddress,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonGuid,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,ParentProcessName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,Status,SubjectAccount,SubcategoryGuid,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,SubjectLogonId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubjectUserSid,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonGuid,TargetLogonId,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,Type,"_ResourceId"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:54:32.103 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Global Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1132
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Global Distribution Group
+ -
+",4749,"4749 - A security-disabled global group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:55:00.946 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:24.078 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Universal Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1131
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4758,"4758 - A security-enabled universal group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:32.979 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Global Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1129
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4730,"4730 - A security-enabled global group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:37.641 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Domain Local Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1130
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4734,"4734 - A security-enabled local group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:55:06.584 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Domain Local Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1133
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Domain Local Distribution Group
+ -
+",4744,"4744 - A security-disabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:55:40.696 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:55:27.233 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Universal Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1134
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Universal Distribution Group
+ -
+",4759,"4759 - A security-disabled universal group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:56:00.765 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:56:38.773 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Universal Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1134
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4763,4763,"cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:57:01.215 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:56:53.397 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Global Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1132
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4753,"4753 - A security-disabled global group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:57:20.666 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:21:05.504 PM",OpsManager,"CL01\KustoKing",,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ CL01
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-18
+ DC1$
+ KUSTOWORKS
+ 0x3e7
+",4740,"4740 - A user account was locked out.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:21:40.877 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\DC1$",,,,KUSTOWORKS,,0x3e7,,,"DC1$","S-1-5-18",,,"CL01\KustoKing",CL01,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:21:35.353 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,,4767,"4767 - A user account was unlocked.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:22:00.754 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:04:11.926 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0,"
+ Domain Local Distribution Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1133
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4748,"4748 - A security-disabled local group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:04:41.113 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:02.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+ KustoKing
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,KustoKing,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:02.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKingRenamed
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:05.246 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+ -
+ -
+ KustoKingRenamed@kustoworks.com
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","KustoKingRenamed@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:14.626 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+ -
+ -
+ KustoKing@kustoworks.com
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","KustoKing@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:32:49.720 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKingRenamed
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+ KustoKingRenamed
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:44.543 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,KustoKingRenamed,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKingRenamed",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKingRenamed,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:32:49.720 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KustoKingRenamed
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:44.543 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:40.164 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Domain Local Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1135
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+ Domain Local Group
+ -
+",4731,"4731 - A security-enabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Domain Local Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,"Domain Local Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:50.831 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Domain Local Group
+ Domain Local Group Renamed
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1135
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:51.602 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Domain Local Group Renamed
+ Domain Local Group Renamed
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1135
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:58.257 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Domain Local Group Renamed
+ Domain Local Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1135
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x118925a
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:21:50.103 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ Administrator RENAME
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+ Administrator RENAME
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:13.324 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"Administrator RENAME","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator RENAME",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,"Administrator RENAME",,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:21:50.103 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Administrator
+ Administrator RENAME
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:13.324 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:18.686 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ Administrator
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+ Administrator
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:17.058 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,Administrator,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,Administrator,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:18.686 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Administrator RENAME
+ Administrator
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:17.058 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:27.199 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ Administrator
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+ -
+ -
+ Administrator
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:22.418 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,Administrator,,,,,,,,,,"-","-",Administrator,"-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:40.246 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ DHCP Users
+ DHCP Users This one too
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1103
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:42.539 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ DHCP Users This one too
+ DHCP Users This one too
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1103
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:56.509 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ DHCP Users This one too
+ DHCP Users
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1103
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:57.317 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ DHCP Users
+ DHCP Users
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1103
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x2e7842
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:16:18.919 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Global Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1129
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Global Security Group
+ -
+",4727,"4727 - A security-enabled global group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:35.100 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Global Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:16:42.712 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Domain Local Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1130
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Domain Local Security Group
+ -
+",4731,"4731 - A security-enabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:36.761 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Domain Local Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:17:16.502 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ Universal Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1131
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ Universal Security Group
+ -
+",4754,"4754 - A security-enabled universal group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:37.476 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Universal Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:13.424 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Universal Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1131
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4756,"4756 - A member was added to a security-enabled universal group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:48.995 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:54.699 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Domain Local Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1130
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:59.260 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:08.575 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Universal Security Group
+ Universal Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1131
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:27.599 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:17.977 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Global Security Group
+ Global Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1129
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:27.599 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:26.421 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ Domain Local Security Group
+ Domain Local Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1130
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:32.350 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:26:38.577 PM",OpsManager,"KUSTOWORKS\KustoKing",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ KustoKing
+ KUSTOWORKS
+ 0x2069128
+ -
+",4723,"4723 - An attempt was made to change an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:12.374 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\KustoKing",,,,KUSTOWORKS,,0x2069128,,,KustoKing,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:26:55.391 PM",OpsManager,"KUSTOWORKS\KustoKing",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ KustoKing
+ KUSTOWORKS
+ 0x20b4ed4
+ -
+",4723,"4723 - An attempt was made to change an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:13.652 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\KustoKing",,,,KUSTOWORKS,,0x20b4ed4,,,KustoKing,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:18.914 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Domain Local Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1130
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4733,"4733 - A member was removed from a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:32.194 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:34.226 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Global Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1129
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4729,"4729 - A member was removed from a security-enabled global group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:36.703 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:42.429 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Universal Security Group123
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1131
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4757,"4757 - A member was removed from a security-enabled universal group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:41.730 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:09.450 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x210
+ 0x211
+ %%2080
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:10.346 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x210,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2080","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:09.450 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+",4725,"4725 - A user account was disabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:10.346 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:31.375 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x211
+ 0x210
+ %%2048
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:11.034 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:31.375 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:11.034 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:14:04.954 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-7
+ ANONYMOUS LOGON
+ NT AUTHORITY
+ 0x3e6
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 7/8/2023 11:14:04 PM
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:14:49.641 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"7/8/2023 11:14:04 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:14:04.954 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x1574e03
+",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:14:49.641 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x1574e03,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:04:50.338 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1127
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:49.612 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1127",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.564 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ KustoKing
+ KustoKing
+ KustoKing@kustoworks.com
+ -
+ -
+ -
+ -
+ -
+ %%1794
+ %%1794
+ 513
+ -
+ 0x0
+ 0x15
+ %%2080 %%2082 %%2084
+ -
+ -
+ %%1793
+",4720,"4720 - A user account was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"%%1794",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,KustoKing,,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"%%1793",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x15,,,,,,,,,,,0x0,,,,,,,"%%1794",,,,513,,"-",,,,,"-",,,,,,,,,,,,,,,KustoKing,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2080 %%2082 %%2084","-","KustoKing@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.623 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-7
+ ANONYMOUS LOGON
+ NT AUTHORITY
+ 0x3e6
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 7/8/2023 11:05:36 PM
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"7/8/2023 11:05:36 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.623 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xf10ff1
+",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xf10ff1,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x15
+ 0x211
+ %%2050 %%2089
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x15,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2050 %%2089","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.630 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ -
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x211
+ 0x210
+ %%2048
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.630 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,"
+ KustoKing
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:25.378 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0,"
+ CN=KustoKing,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1128
+ Global Security Group
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1129
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0xa6a86b
+ -
+",4728,"4728 - A member was added to a security-enabled global group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:54.046 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:00:50.147 PM",OpsManager,"KUSTOWORKS\DC1$",Machine,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ gMSAMDIRead$
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1105
+ S-1-5-18
+ DC1$
+ KUSTOWORKS
+ 0x3e7
+",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:07:29.042 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\DC1$",,,,KUSTOWORKS,,0x3e7,,,"DC1$","S-1-5-18",,,"KUSTOWORKS\gMSAMDIRead$",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1105",,"gMSAMDIRead$",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:19.443 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ CN=panosuserid,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1114
+ Event Log Readers
+ Builtin
+ S-1-5-32-573
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4733,"4733 - A member was removed from a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:40:35.752 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=panosuserid,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1114",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:49.887 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ panosuserid
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1114
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:15.722 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\panosuserid",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1114",,panosuserid,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:51.846 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ kustotest
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1107
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:15.722 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\kustotest",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1107",,kustotest,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.323 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+ subscriptionuser
+ subscriptionuser
+ subscriptionuser@kustoworks.com
+ -
+ -
+ -
+ -
+ -
+ %%1794
+ %%1794
+ 513
+ -
+ 0x0
+ 0x15
+ %%2080 %%2082 %%2084
+ -
+ -
+ %%1793
+",4720,"4720 - A user account was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"%%1794",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"%%1793",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x15,,,,,,,,,,,0x0,,,,,,,"%%1794",,,,513,,"-",,,,,"-",,,,,,,,,,,,,,,subscriptionuser,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2080 %%2082 %%2084","-","subscriptionuser@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.385 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ -
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-7
+ ANONYMOUS LOGON
+ NT AUTHORITY
+ 0x3e6
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 4/20/2023 8:41:36 PM
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"4/20/2023 8:41:36 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.385 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x7b029c
+",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x7b029c,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.399 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ -
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.401 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ -
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x15
+ 0x211
+ %%2050 %%2089
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x15,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2050 %%2089","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.402 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ -
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ -
+ 0x211
+ 0x210
+ %%2048
+ -
+ -
+ -
+",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.402 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ subscriptionuser
+ KUSTOWORKS
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ CN=WEF1,CN=Computers,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1108
+ Event Log Readers
+ Builtin
+ S-1-5-32-573
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=WEF1,CN=Computers,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1108",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ CN=subscriptionuser,CN=Users,DC=kustoworks,DC=com
+ S-1-5-21-2496762881-1366215883-1809657155-1126
+ Event Log Readers
+ Builtin
+ S-1-5-32-573
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=subscriptionuser,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1126",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
+"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0,"
+ -
+ S-1-5-20
+ Event Log Readers
+ Builtin
+ S-1-5-32-573
+ S-1-5-21-2496762881-1366215883-1809657155-500
+ Administrator
+ KUSTOWORKS
+ 0x3aeb8e
+ -
+",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-","S-1-5-20",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1"
diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv
new file mode 100644
index 00000000000..19191eedf65
--- /dev/null
+++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv
@@ -0,0 +1,226 @@
+ColumnName,ColumnOrdinal,DataType,ColumnType
+TenantId,0,"System.String",string
+TimeGenerated,1,"System.DateTime",datetime
+SourceSystem,2,"System.String",string
+Account,3,"System.String",string
+AccountType,4,"System.String",string
+Computer,5,"System.String",string
+EventSourceName,6,"System.String",string
+Channel,7,"System.String",string
+Task,8,"System.Int32",int
+Level,9,"System.String",string
+EventData,10,"System.String",string
+EventID,11,"System.Int32",int
+Activity,12,"System.String",string
+SourceComputerId,13,"System.String",string
+EventOriginId,14,"System.String",string
+MG,15,"System.String",string
+TimeCollected,16,"System.DateTime",datetime
+ManagementGroupName,17,"System.String",string
+AccessList,18,"System.String",string
+AccessMask,19,"System.String",string
+AccessReason,20,"System.String",string
+AccountDomain,21,"System.String",string
+AccountExpires,22,"System.String",string
+AccountName,23,"System.String",string
+AccountSessionIdentifier,24,"System.String",string
+AdditionalInfo,25,"System.String",string
+AdditionalInfo2,26,"System.String",string
+AllowedToDelegateTo,27,"System.String",string
+Attributes,28,"System.String",string
+AuditPolicyChanges,29,"System.String",string
+AuditsDiscarded,30,"System.Int32",int
+AuthenticationLevel,31,"System.Int32",int
+AuthenticationPackageName,32,"System.String",string
+AuthenticationProvider,33,"System.String",string
+AuthenticationServer,34,"System.String",string
+AuthenticationService,35,"System.Int32",int
+AuthenticationType,36,"System.String",string
+CACertificateHash,37,"System.String",string
+CalledStationID,38,"System.String",string
+CallerProcessId,39,"System.String",string
+CallerProcessName,40,"System.String",string
+CallingStationID,41,"System.String",string
+CAPublicKeyHash,42,"System.String",string
+CategoryId,43,"System.String",string
+CertificateDatabaseHash,44,"System.String",string
+ClassId,45,"System.String",string
+ClassName,46,"System.String",string
+ClientAddress,47,"System.String",string
+ClientIPAddress,48,"System.String",string
+ClientName,49,"System.String",string
+CommandLine,50,"System.String",string
+CompatibleIds,51,"System.String",string
+DCDNSName,52,"System.String",string
+DeviceDescription,53,"System.String",string
+DeviceId,54,"System.String",string
+DisplayName,55,"System.String",string
+Disposition,56,"System.String",string
+DomainBehaviorVersion,57,"System.String",string
+DomainName,58,"System.String",string
+DomainPolicyChanged,59,"System.String",string
+DomainSid,60,"System.String",string
+EAPType,61,"System.String",string
+ElevatedToken,62,"System.String",string
+ErrorCode,63,"System.Int32",int
+ExtendedQuarantineState,64,"System.String",string
+FailureReason,65,"System.String",string
+FileHash,66,"System.String",string
+FilePath,67,"System.String",string
+FilePathNoUser,68,"System.String",string
+Filter,69,"System.String",string
+ForceLogoff,70,"System.String",string
+Fqbn,71,"System.String",string
+FullyQualifiedSubjectMachineName,72,"System.String",string
+FullyQualifiedSubjectUserName,73,"System.String",string
+GroupMembership,74,"System.String",string
+HandleId,75,"System.String",string
+HardwareIds,76,"System.String",string
+HomeDirectory,77,"System.String",string
+HomePath,78,"System.String",string
+ImpersonationLevel,79,"System.String",string
+InterfaceUuid,80,"System.String",string
+IpAddress,81,"System.String",string
+IpPort,82,"System.String",string
+KeyLength,83,"System.Int32",int
+LmPackageName,84,"System.String",string
+LocationInformation,85,"System.String",string
+LockoutDuration,86,"System.String",string
+LockoutObservationWindow,87,"System.String",string
+LockoutThreshold,88,"System.String",string
+LoggingResult,89,"System.String",string
+LogonGuid,90,"System.String",string
+LogonHours,91,"System.String",string
+LogonID,92,"System.String",string
+LogonProcessName,93,"System.String",string
+LogonType,94,"System.Int32",int
+LogonTypeName,95,"System.String",string
+MachineAccountQuota,96,"System.String",string
+MachineInventory,97,"System.String",string
+MachineLogon,98,"System.String",string
+MandatoryLabel,99,"System.String",string
+MaxPasswordAge,100,"System.String",string
+MemberName,101,"System.String",string
+MemberSid,102,"System.String",string
+MinPasswordAge,103,"System.String",string
+MinPasswordLength,104,"System.String",string
+MixedDomainMode,105,"System.String",string
+NASIdentifier,106,"System.String",string
+NASIPv4Address,107,"System.String",string
+NASIPv6Address,108,"System.String",string
+NASPort,109,"System.String",string
+NASPortType,110,"System.String",string
+NetworkPolicyName,111,"System.String",string
+NewDate,112,"System.String",string
+NewMaxUsers,113,"System.String",string
+NewProcessId,114,"System.String",string
+NewProcessName,115,"System.String",string
+NewRemark,116,"System.String",string
+NewShareFlags,117,"System.String",string
+NewTime,118,"System.String",string
+NewUacValue,119,"System.String",string
+NewValue,120,"System.String",string
+NewValueType,121,"System.String",string
+ObjectName,122,"System.String",string
+ObjectServer,123,"System.String",string
+ObjectType,124,"System.String",string
+ObjectValueName,125,"System.String",string
+OemInformation,126,"System.String",string
+OldMaxUsers,127,"System.String",string
+OldRemark,128,"System.String",string
+OldShareFlags,129,"System.String",string
+OldUacValue,130,"System.String",string
+OldValue,131,"System.String",string
+OldValueType,132,"System.String",string
+OperationType,133,"System.String",string
+PackageName,134,"System.String",string
+ParentProcessName,135,"System.String",string
+PasswordHistoryLength,136,"System.String",string
+PasswordLastSet,137,"System.String",string
+PasswordProperties,138,"System.String",string
+PreviousDate,139,"System.String",string
+PreviousTime,140,"System.String",string
+PrimaryGroupId,141,"System.String",string
+PrivateKeyUsageCount,142,"System.String",string
+PrivilegeList,143,"System.String",string
+Process,144,"System.String",string
+ProcessId,145,"System.String",string
+ProcessName,146,"System.String",string
+Properties,147,"System.String",string
+ProfilePath,148,"System.String",string
+ProtocolSequence,149,"System.String",string
+ProxyPolicyName,150,"System.String",string
+QuarantineHelpURL,151,"System.String",string
+QuarantineSessionID,152,"System.String",string
+QuarantineSessionIdentifier,153,"System.String",string
+QuarantineState,154,"System.String",string
+QuarantineSystemHealthResult,155,"System.String",string
+RelativeTargetName,156,"System.String",string
+RemoteIpAddress,157,"System.String",string
+RemotePort,158,"System.String",string
+Requester,159,"System.String",string
+RequestId,160,"System.String",string
+RestrictedAdminMode,161,"System.String",string
+RowsDeleted,162,"System.String",string
+SamAccountName,163,"System.String",string
+ScriptPath,164,"System.String",string
+SecurityDescriptor,165,"System.String",string
+ServiceAccount,166,"System.String",string
+ServiceFileName,167,"System.String",string
+ServiceName,168,"System.String",string
+ServiceStartType,169,"System.Int32",int
+ServiceType,170,"System.String",string
+SessionName,171,"System.String",string
+ShareLocalPath,172,"System.String",string
+ShareName,173,"System.String",string
+SidHistory,174,"System.String",string
+Status,175,"System.String",string
+SubjectAccount,176,"System.String",string
+SubcategoryGuid,177,"System.String",string
+SubcategoryId,178,"System.String",string
+Subject,179,"System.String",string
+SubjectDomainName,180,"System.String",string
+SubjectKeyIdentifier,181,"System.String",string
+SubjectLogonId,182,"System.String",string
+SubjectMachineName,183,"System.String",string
+SubjectMachineSID,184,"System.String",string
+SubjectUserName,185,"System.String",string
+SubjectUserSid,186,"System.String",string
+SubStatus,187,"System.String",string
+TableId,188,"System.String",string
+TargetAccount,189,"System.String",string
+TargetDomainName,190,"System.String",string
+TargetInfo,191,"System.String",string
+TargetLinkedLogonId,192,"System.String",string
+TargetLogonGuid,193,"System.String",string
+TargetLogonId,194,"System.String",string
+TargetOutboundDomainName,195,"System.String",string
+TargetOutboundUserName,196,"System.String",string
+TargetServerName,197,"System.String",string
+TargetSid,198,"System.String",string
+TargetUser,199,"System.String",string
+TargetUserName,200,"System.String",string
+TargetUserSid,201,"System.String",string
+TemplateContent,202,"System.String",string
+TemplateDSObjectFQDN,203,"System.String",string
+TemplateInternalName,204,"System.String",string
+TemplateOID,205,"System.String",string
+TemplateSchemaVersion,206,"System.String",string
+TemplateVersion,207,"System.String",string
+TokenElevationType,208,"System.String",string
+TransmittedServices,209,"System.String",string
+UserAccountControl,210,"System.String",string
+UserParameters,211,"System.String",string
+UserPrincipalName,212,"System.String",string
+UserWorkstations,213,"System.String",string
+VirtualAccount,214,"System.String",string
+VendorIds,215,"System.String",string
+Workstation,216,"System.String",string
+WorkstationName,217,"System.String",string
+PartitionKey,218,"System.String",string
+RowKey,219,"System.String",string
+StorageAccount,220,"System.String",string
+AzureDeploymentID,221,"System.String",string
+AzureTableName,222,"System.String",string
+Type,223,"System.String",string
+"_ResourceId",224,"System.String",string
diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv
new file mode 100644
index 00000000000..33fcd8be1ef
--- /dev/null
+++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv
@@ -0,0 +1,58 @@
+TenantId,SourceSystem,"TimeGenerated [UTC]",Provider,Channel,Computer,Task,EventLevel,EventLevelName,Data,EventID,ManagementGroupName,SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,EventData,RawEventData,EventOriginId,"TimeCreated [UTC]",Type,"_ResourceId"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:06:44.076 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4758,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866309,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:08:23.547 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4730,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866731,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:08:23.547 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4734,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866747,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:21:23.377 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4753,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868586,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1132""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:20:43.552 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4763,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309868508,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1134""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:35:09.027 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4748,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309873533,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1133""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:04.087 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4749,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868142,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1132"",""SamAccountName"":""Global Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:04.087 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4744,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309868230,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1133"",""SamAccountName"":""Domain Local Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:43.963 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4759,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868281,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1134"",""SamAccountName"":""Universal Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:53:24.236 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4740,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309889481,"{""SubjectUserSid"":""S-1-5-18"",""SubjectUserName"":""DC1$"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x3e7"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""CL01"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:53:24.267 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4767,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309889911,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:32:49.720 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922678,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKingRenamed"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKingRenamed"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:32:49.720 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922679,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""OldTargetUserName"":""KustoKing"",""NewTargetUserName"":""KustoKingRenamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:02.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922852,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKing"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:02.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922853,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""OldTargetUserName"":""KustoKingRenamed"",""NewTargetUserName"":""KustoKing""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:05.246 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922885,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""KustoKingRenamed@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:14.626 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922965,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""KustoKing@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:40.164 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4731,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2744,2309923302,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""SamAccountName"":""Domain Local Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:50.831 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2744,2309923379,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group"",""NewTargetUserName"":""Domain Local Group Renamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:51.602 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309923395,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group Renamed"",""NewTargetUserName"":""Domain Local Group Renamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:58.257 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,1808,2309923465,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group Renamed"",""NewTargetUserName"":""Domain Local Group""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309956902,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator RENAME"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""Administrator RENAME"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309956903,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""OldTargetUserName"":""Administrator"",""NewTargetUserName"":""Administrator RENAME""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957090,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""Administrator"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957091,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""OldTargetUserName"":""Administrator RENAME"",""NewTargetUserName"":""Administrator""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309957184,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""Administrator"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3092,2309957307,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users"",""NewTargetUserName"":""DHCP Users This one too""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309957332,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users This one too"",""NewTargetUserName"":""DHCP Users This one too""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957432,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users This one too"",""NewTargetUserName"":""DHCP Users""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3092,2309957436,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users"",""NewTargetUserName"":""DHCP Users""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:31.375 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309842183,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x211"",""NewUacValue"":""0x210"",""UserAccountControl"":"" \t\t%%2048"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:31.375 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4722,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309842184,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:04:50.338 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4726,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841463,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1127""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.564 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4720,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841963,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKing"",""DisplayName"":""KustoKing"",""UserPrincipalName"":""KustoKing@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""%%1794"",""AccountExpires"":""%%1794"",""PrimaryGroupId"":""513"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x0"",""NewUacValue"":""0x15"",""UserAccountControl"":"" \t\t%%2080 \t\t%%2082 \t\t%%2084"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""%%1793""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.623 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841974,"{""SubjectUserSid"":""S-1-5-7"",""SubjectUserName"":""ANONYMOUS LOGON"",""SubjectDomainName"":""NT AUTHORITY"",""SubjectLogonId"":""0x3e6"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""7/8/2023 11:05:36 PM"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.623 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4724,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841975,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xf10ff1"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841980,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x15"",""NewUacValue"":""0x211"",""UserAccountControl"":"" \t\t%%2050 \t\t%%2089"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.630 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841983,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x211"",""NewUacValue"":""0x210"",""UserAccountControl"":"" \t\t%%2048"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.630 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4722,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841984,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:54.699 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4732,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3108,2309847066,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:08.575 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847774,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""OldTargetUserName"":""Universal Security Group"",""NewTargetUserName"":""Universal Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:17.977 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847804,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""OldTargetUserName"":""Global Security Group"",""NewTargetUserName"":""Global Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:26:38.577 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4723,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8010000000000000,,736,2124,2309848860,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SubjectUserName"":""KustoKing"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2069128"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:26.421 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309847851,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""OldTargetUserName"":""Domain Local Security Group"",""NewTargetUserName"":""Domain Local Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:26:55.391 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4723,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8010000000000000,,736,3096,2309848912,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SubjectUserName"":""KustoKing"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x20b4ed4"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:09.450 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309842115,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x210"",""NewUacValue"":""0x211"",""UserAccountControl"":"" \t\t%%2080"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:09.450 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4725,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309842116,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:18.914 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4733,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849113,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:34.226 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4729,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849170,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:42.429 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4757,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849211,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:14:04.954 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309845716,"{""SubjectUserSid"":""S-1-5-7"",""SubjectUserName"":""ANONYMOUS LOGON"",""SubjectDomainName"":""NT AUTHORITY"",""SubjectLogonId"":""0x3e6"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""7/8/2023 11:14:04 PM"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:14:04.954 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4724,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309845717,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x1574e03"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:16:42.712 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4731,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309846649,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""SamAccountName"":""Domain Local Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:17:16.502 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4754,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309846735,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""SamAccountName"":""Universal Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:16:18.919 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4727,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3108,2309846566,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""SamAccountName"":""Global Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:13.424 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4756,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309846947,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
+"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:25.378 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4728,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847001,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1"
diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv
new file mode 100644
index 00000000000..0da0648cc94
--- /dev/null
+++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv
@@ -0,0 +1,27 @@
+ColumnName,ColumnOrdinal,DataType,ColumnType
+TenantId,0,"System.String",string
+SourceSystem,1,"System.String",string
+TimeGenerated,2,"System.DateTime",datetime
+Provider,3,"System.String",string
+Channel,4,"System.String",string
+Computer,5,"System.String",string
+Task,6,"System.Int32",int
+EventLevel,7,"System.Int32",int
+EventLevelName,8,"System.String",string
+Data,9,"System.Object",dynamic
+EventID,10,"System.Int32",int
+ManagementGroupName,11,"System.String",string
+SystemUserId,12,"System.String",string
+Version,13,"System.Int32",int
+Opcode,14,"System.String",string
+Keywords,15,"System.String",string
+Correlation,16,"System.String",string
+SystemProcessId,17,"System.Int32",int
+SystemThreadId,18,"System.Int32",int
+EventRecordId,19,"System.String",string
+EventData,20,"System.Object",dynamic
+RawEventData,21,"System.String",string
+EventOriginId,22,"System.String",string
+TimeCreated,23,"System.DateTime",datetime
+Type,24,"System.String",string
+"_ResourceId",25,"System.String",string
diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip
new file mode 100644
index 00000000000..3b1cd87e9e1
Binary files /dev/null and b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip differ
diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/azuredeploy_Connector_GreyNoiseAPISentinel_AzureFunction.json b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/azuredeploy_Connector_GreyNoiseAPISentinel_AzureFunction.json
new file mode 100644
index 00000000000..d1d6c9fc23e
--- /dev/null
+++ b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/azuredeploy_Connector_GreyNoiseAPISentinel_AzureFunction.json
@@ -0,0 +1,238 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "FunctionName": {
+ "defaultValue": "GreyNoise",
+ "minLength": 1,
+ "maxLength": 11,
+ "type": "string"
+ },
+ "WORKSPACE_ID": {
+ "type": "string",
+ "defaultValue": "Workspace ID"
+ },
+ "GREYNOISE_KEY": {
+ "type": "string",
+ "defaultValue": "Greynoise API Key"
+ },
+ "TENANT_ID": {
+ "type": "string",
+ "defaultValue": "Azure Tenand ID"
+ },
+ "CLIENT_ID": {
+ "type": "string",
+ "defaultValue": "Client ID"
+ },
+ "CLIENT_SECRET": {
+ "type": "string",
+ "defaultValue": "Client Secret"
+ },
+ "GREYNOISE_CLASSIFICATIONS": {
+ "type": "string",
+ "defaultValue": "malicious,unknown"
+ }
+ },
+ "variables": {
+ "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
+ "StorageSuffix": "[environment().suffixes.storage]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Insights/components",
+ "apiVersion": "2015-05-01",
+ "name": "[variables('FunctionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "web",
+ "properties": {
+ "Application_Type": "web",
+ "ApplicationId": "[variables('FunctionName')]"
+ }
+ },
+
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2019-06-01",
+ "name": "[tolower(variables('FunctionName'))]",
+ "location": "[resourceGroup().location]",
+ "sku": {
+ "name": "Standard_LRS",
+ "tier": "Standard"
+ },
+ "kind": "StorageV2",
+ "properties": {
+ "networkAcls": {
+ "bypass": "AzureServices",
+ "virtualNetworkRules": [
+ ],
+ "ipRules": [
+ ],
+ "defaultAction": "Allow"
+ },
+ "supportsHttpsTrafficOnly": true,
+ "encryption": {
+ "services": {
+ "file": {
+ "keyType": "Account",
+ "enabled": true
+ },
+ "blob": {
+ "keyType": "Account",
+ "enabled": true
+ }
+ },
+ "keySource": "Microsoft.Storage"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/serverfarms",
+ "apiVersion": "2018-02-01",
+ "name": "[variables('FunctionName')]",
+ "location": "[resourceGroup().location]",
+ "sku": {
+ "name": "Y1",
+ "tier": "Dynamic"
+ },
+ "kind": "functionapp,linux",
+ "properties": {
+ "name": "[variables('FunctionName')]",
+ "workerSize": "0",
+ "workerSizeId": "0",
+ "numberOfWorkers": "1",
+ "reserved": true,
+ "siteConfig": {
+ "linuxFxVersion": "Python|3.10"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts/blobServices",
+ "apiVersion": "2019-06-01",
+ "name": "[concat(variables('FunctionName'), '/default')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
+ ],
+ "sku": {
+ "name": "Standard_LRS",
+ "tier": "Standard"
+ },
+ "properties": {
+ "cors": {
+ "corsRules": [
+ ]
+ },
+ "deleteRetentionPolicy": {
+ "enabled": false
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts/fileServices",
+ "apiVersion": "2019-06-01",
+ "name": "[concat(variables('FunctionName'), '/default')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
+ ],
+ "sku": {
+ "name": "Standard_LRS",
+ "tier": "Standard"
+ },
+ "properties": {
+ "cors": {
+ "corsRules": [
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2018-11-01",
+ "name": "[variables('FunctionName')]",
+ "location": "[resourceGroup().location]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
+ "[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
+ "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
+ ],
+ "kind": "functionapp,linux",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "properties": {
+ "name": "[variables('FunctionName')]",
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
+ "httpsOnly": true,
+ "clientAffinityEnabled": true,
+ "alwaysOn": true,
+ "reserved": true,
+ "siteConfig": {
+ "linuxFxVersion": "Python|3.10"
+ }
+ },
+ "resources": [
+ {
+ "apiVersion": "2018-11-01",
+ "type": "config",
+ "name": "appsettings",
+ "dependsOn": [
+ "[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
+ ],
+ "properties": {
+ "FUNCTIONS_EXTENSION_VERSION": "~4",
+ "FUNCTIONS_WORKER_RUNTIME": "python",
+ "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
+ "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
+ "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
+ "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
+ "WEBSITE_CONTENTSHARE": "[toLower(variables('FunctionName'))]",
+ "WORKSPACE_ID": "[parameters('WORKSPACE_ID')]",
+ "GREYNOISE_KEY": "[parameters('GREYNOISE_KEY')]",
+ "TENANT_ID": "[parameters('TENANT_ID')]",
+ "CLIENT_ID": "[parameters('CLIENT_ID')]",
+ "CLIENT_SECRET": "[parameters('CLIENT_SECRET')]",
+ "GREYNOISE_CLASSIFICATIONS": "[parameters('GREYNOISE_CLASSIFICATIONS')]",
+ "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/raw/db458a54839b084eac0e70bbe6e2a41f34f37e2b/Solutions/GreyNoiseThreatIntelligence/Data%20Connectors/GreyNoiseAPISentinelConn.zip"
+ }
+ }
+ ]
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+ "apiVersion": "2019-06-01",
+ "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
+ ],
+ "properties": {
+ "publicAccess": "None"
+ }
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+ "apiVersion": "2019-06-01",
+ "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
+ ],
+ "properties": {
+ "publicAccess": "None"
+ }
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
+ "apiVersion": "2019-06-01",
+ "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
+ ],
+ "properties": {
+ "shareQuota": 5120
+ }
+ }
+ ]
+ }
+
\ No newline at end of file