diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml index b1ce1681144..53a2b63de9d 100644 --- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml @@ -73,7 +73,6 @@ ParserParams: - Name: pack Type: bool Default: false - ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml new file mode 100644 index 00000000000..0f812cc8625 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml @@ -0,0 +1,39 @@ +Parser: + Title: User Management ASIM parser + Version: '0.1.0' + LastUpdated: 16 Jul, 2023 +Product: + Name: Source agnostic +Normalization: + Schema: UserManagement + Version: '0.1' +References: +- Title: ASIM UserManagement Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema. +ParserName: ASimUserManagement +EquivalentBuiltInParser: _ASim_UserManagement +Parsers: + - _Im_UserManagement_Empty + - _ASim_UserManagement_MicrosoftSecurityEvent +ParserParams: + - Name: pack + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); + let ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=( + pack:bool=false + ){ + union isfuzzy=true + vimUserManagementEmpty, + ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))), + ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))) + }; + parser ( + pack=pack + ) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml new file mode 100644 index 00000000000..e12186b78d5 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml @@ -0,0 +1,252 @@ +Parser: + Title: User Management ASIM parser for Microsoft Security Event logs + Version: '0.1.0' + LastUpdated: 16 Jul, 2023 +Product: + Name: Microsoft +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Audit User Account Management + Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management +Description: | + This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema. +ParserName: ASimUserManagementMicrosoftSecurityEvent +EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled:bool = false + ) { + let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string) + [ + "4720", "UserCreated", "UserCreated", "", + "4722", "UserEnabled", "UserModified", "", + "4723", "PasswordChanged", "UserModified", "", + "4724", "PasswordReset", "UserModified", "", + "4725", "UserDisabled", "UserModified", "", + "4726", "UserDeleted", "UserModified", "", + "4727", "GroupCreated", "GroupCreated", "Global Security Enabled", + "4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled", + "4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled", + "4730", "GroupDeleted", "GroupModified", "Global Security Enabled", + "4731", "GroupCreated", "GroupCreated", "Local Security Enabled", + "4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled", + "4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled", + "4734", "GroupDeleted", "GroupModified", "Local Security Enabled", + "4738", "UserModified", "UserModified", "", + "4740", "UserLocked", "UserModified", "", + "4744", "GroupCreated", "GroupCreated", "Local Distribution", + "4748", "GroupDeleted", "GroupModified", "Local Distribution", + "4749", "GroupCreated", "GroupCreated", "Global Distribution", + "4753", "GroupDeleted", "GroupModified", "Global Distribution", + "4754", "GroupCreated", "GroupCreated", "Universal Security Enabled", + "4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled", + "4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled", + "4758", "GroupDeleted", "GroupModified", "Universal Security Enabled", + "4759", "GroupCreated", "GroupCreated", "Universal Distribution", + "4763", "GroupDeleted", "GroupModified", "Universal Distribution", + "4767", "UserLocked", "UserModified", "", + "4781", "UserModified", "UserModified", "" + ]; + let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string) + [ + 'User', 'Regular', + 'Machine', 'Machine' + ]; + let UserEventID = toscalar( + EventIDLookup + | where not(disabled) + | where EventSubType in("UserCreated","UserModified") + | summarize make_set(EventID) + ); + let GroupEventID = toscalar( + EventIDLookup + | where not(disabled) + | where EventSubType in("GroupCreated","GroupModified") + | summarize make_set(EventID) + ); + union ( + WindowsEvent + | where not(disabled) + | where EventID in(UserEventID) + | extend + ActorOriginalUserType = tostring(EventData.AccountType), + ActorSessionId = tostring(EventData.SubjectLogonId), + ActorUserId = tostring(EventData.SubjectUserSid), + NewTargetUserName = tostring(EventData.NewTargetUserName), + OldTargetUserName = tostring(EventData.OldTargetUserName), + SubjectDomainName = tostring(EventData.SubjectDomainName), + SubjectUserName = tostring(EventData.SubjectUserName), + TargetDomain = tostring(EventData.TargetDomainName), + TargetUserId = tostring(EventData.TargetSid), + TargetUsername = tostring(EventData.TargetUserName), + EventMessage = tostring(EventData.Activity) + | project-rename + NewPropertyValue = NewTargetUserName, + PreviousPropertyValue = OldTargetUserName + | extend + TargetUsername = coalesce(TargetUsername, PreviousPropertyValue) + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage + | extend + TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""), + TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername)) + ),( + SecurityEvent + | where not(disabled) + | where EventID in(UserEventID) + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + TargetDomain = TargetDomainName, + TargetUserId = TargetSid, + TargetUsername = TargetUserName, + EventMessage = Activity + | parse-kv EventData as + ( + OldTargetUserName:string, + NewTargetUserName:string + ) + with (regex=@'{?([^<]*?)}?') + | project-rename + NewPropertyValue = NewTargetUserName, + PreviousPropertyValue = OldTargetUserName + | extend + TargetUsername = coalesce(TargetUsername, PreviousPropertyValue) + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage + | extend + TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""), + TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername)) + ),( + WindowsEvent + | where not(disabled) + | where EventID in(GroupEventID) + | extend + ActorOriginalUserType = tostring(EventData.AccountType), + ActorSessionId = tostring(EventData.SubjectLogonId), + ActorUserId = tostring(EventData.SubjectUserSid), + GroupDomain = tostring(EventData.TargetDomainName), + GroupId = tostring(EventData.TargetSid), + GroupName = tostring(EventData.TargetUserName), + MemberName = tostring(EventData.MemberName), + MemberSid = tostring(EventData.MemberSid), + NewTargetUserName = tostring(EventData.NewTargetUserName), + OldTargetUserName = tostring(EventData.OldTargetUserName), + SubjectDomainName = tostring(EventData.SubjectDomainName), + SubjectUserName = tostring(EventData.SubjectUserName), + EventMessage = tostring(EventData.Activity) + | extend + GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)), + TargetUserId = MemberSid, + TargetUsername = MemberName + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ),( + SecurityEvent + | where not(disabled) + | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763)) + | where EventID in(GroupEventID) + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + GroupDomain = TargetDomainName, + GroupId = TargetSid, + GroupName = TargetUserName, + EventMessage = Activity + | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)) + | parse-kv EventData as + ( + MemberName:string, + MemberSid:string + ) + with (regex=@'{?([^<]*?)}?') + | project-rename + TargetUsername = MemberName, + TargetUserId = MemberSid + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ),( + SecurityEvent + | where not(disabled) + | where EventID in (4744, 4748, 4749, 4753, 4759, 4763) + | parse-kv EventData as + ( + TargetUserName:string, + TargetDomainName:string, + TargetSid:string, + SubjectUserSid:string, + AccountType:string, + SubjectLogonId:string, + SubjectDomainName:string, + SubjectUserName:string + ) + with (regex=@'{?([^<]*?)}?') + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + GroupDomain = TargetDomainName, + GroupId = TargetSid, + GroupName = TargetUserName, + EventMessage = Activity + | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)) + | parse-kv EventData as + ( + MemberName:string, + MemberSid:string + ) + with (regex=@'{?([^<]*?)}?') + | project-rename + TargetUserId = MemberSid, + TargetUsername = MemberName + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ) + | lookup EventIDLookup on EventID + | extend UpdatedPropertyName = EventSubType + | invoke _ASIM_ResolveDvcFQDN ("Computer") + | lookup UserTypeLookup on ActorOriginalUserType + | extend + DvcId = coalesce(_ResourceId, SourceComputerId), + EventOriginalType = tostring(EventID) + | project-rename + EventUid = _ItemId + | extend + ActorDomain = SubjectDomainName, + DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""), + ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), + Dvc = DvcHostname, + DvcOs = "Windows", + EventCount = int(1), + EventEndTime = TimeGenerated, + EventProduct = 'Security Events', + EventResult = "Success", + EventSchema = "UserManagement", + EventSchemaVersion = "0.1.1", + EventSeverity = "Informational", + EventStartTime = TimeGenerated, + EventVendor = 'Microsoft', + Hostname = DvcHostname + | project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID + | extend + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), + GroupNameType = _ASIM_GetUsernameType(GroupName), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId), + User = ActorUsername + }; + parser (disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml new file mode 100644 index 00000000000..142878b70c9 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml @@ -0,0 +1,72 @@ +Parser: + Title: User Management ASIM filtering parser + Version: '0.1.0' + LastUpdated: 16 Jul, 2023 +Product: + Name: Source agnostic +Normalization: + Schema: UserManagement + Version: '0.1' +References: +- Title: ASIM UserManagement Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema. +ParserName: imUserManagement +EquivalentBuiltInParser: _Im_UserManagement +Parsers: + - _Im_UserManagement_Empty + - _Im_UserManagement_MicrosoftSecurityEvent +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: targetusername_has + Type: string + Default: '*' + - Name: actorusername_has + Type: string + Default: '*' + - Name: targetdomain_has_any + Type: dynamic + Default: dynamic([]) + - Name: anydomain_has_any + Type: dynamic + Default: dynamic([]) + - Name: pack + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); + let ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + targetusername_has:string="*", + actorusername_has:string="", + targetdomain_has_any:dynamic=dynamic([]), + anydomain_has_any:dynamic=dynamic([]), + pack:bool=false) + { + union isfuzzy=true + vimUserManagementEmpty, + vimUserManagementMicrosoftSecurityEvent(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )), + vimUserManagementCiscoISE(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )) + }; + parser ( + starttime=starttime, + endtime=endtime, + targetusername_has=targetusername_has, + actorusername_has=actorusername_has, + targetdomain_has_any=targetdomain_has_any, + anydomain_has_any=anydomain_has_any, + hostname_has_any=hostname_has_any, + dvcaction=dvcaction, + eventresult=eventresult, + pack=pack + ) diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml new file mode 100644 index 00000000000..5fc49692299 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml @@ -0,0 +1,111 @@ +Parser: + Title: User Management ASIM schema function + Version: '0.1.0' + LastUpdated: 17 Jul2023 +Product: + Name: Source Agnostic +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This function returns an empty ASIM UserManagement schema +ParserName: vimUserManagementEmpty +EquivalentBuiltInParser: _Im_UserManagement_Empty +ParserQuery: | + let parser=datatable( + TimeGenerated:datetime, + _ResourceId:string, + Type:string, + ActorUsername:string, // Mandatory + ActorUsernameType:string, // Mandatory + Dvc:string, // Mandatory + EventCount:int, // Mandatory + EventEndTime:datetime, // Mandatory + EventProduct:string, // Mandatory + EventResult:string, // Mandatory + EventSchema:string, // Mandatory + EventSchemaVersion:string, // Mandatory + EventSeverity:string, // Mandatory + EventStartTime:datetime, // Mandatory + EventType:string, // Mandatory + EventVendor:string, // Mandatory + DvcAction:string, // Recommended + DvcDomain:string, // Recommended + DvcDomainType:string, // Recommended + DvcFQDN:string, // Recommended + DvcHostname:string, // Recommended + DvcId:string, // Recommended + DvcIdType:string, // Recommended + DvcIpAddr:string, // Recommended + EventResultDetails:string, // Recommended + EventUid:string, // Recommended + Src:string, // Recommended + SrcDomain:string, // Recommended + SrcDomainType:string, // Recommended + SrcHostname:string, // Recommended + SrcIpAddr:string, // Recommended + ActingAppId:string, // Optional + ActingAppType:string, // Optional + ActiveAppName:string, // Optional + ActorOriginalUserType:string, // Optional + ActorSessionId:string, // Optional + ActorUserId:string, // Optional + ActorUserIdType:string, // Optional + ActorUserType:string, // Optional + AdditionalFields:dynamic, // Optional + DvcDescription:string, // Optional + DvcInterface:string, // Optional + DvcMacAddr:string, // Optional + DvcOriginalAction:string, // Optional + DvcOs:string, // Optional + DvcOsVersion:string, // Optional + DvcScope:string, // Optional + DvcScopeId:string, // Optional + DvcZone:string, // Optional + EventMessage:string, // Optional + EventOriginalResultDetails:string, // Optional + EventOriginalSeverity:string, // Optional + EventOriginalSubType:string, // Optional + EventOriginalType:string, // Optional + EventOriginalUid:string, // Optional + EventOwner:string, // Optional + EventProductVersion:string, // Optional + EventReportUrl:string, // Optional + EventSubType:string, // Optional + GroupId:string, // Optional + GroupIdType:string, // Optional + GroupName:string, // Optional + GroupNameType:string, // Optional + GroupOriginalType:string, // Optional + GroupType:string, // Optional + HttpUserAgent:string, // Optional + NewPropertyValue:string, // Optional + PreviousPropertyValue:string, // Optional + SrcDeviceType:string, // Optional + SrcDvcId:string, // Optional + SrcDvcIdType:string, // Optional + SrcDvcScope:string, // Optional + SrcDvcScopeId:string, // Optional + SrcFQDN:string, // Optional + SrcGeoCity:string, // Optional + SrcGeoCountry:string, // Optional + SrcGeoLatitude:string, // Optional + SrcGeoLongitude:string, // Optional + SrcGeoRegion:string, // Optional + TargetOriginalUserType:string, // Optional + TargetUserId:string, // Optional + TargetUserIdType:string, // Optional + TargetUsername:string, // Optional + TargetUsernameType:string, // Optional + TargetUserType:string, // Optional + Hostname:string, // Alias + IpAddr:string, // Alias + UpdatedPropertyName:string, // Alias + User:string // Alias + )[]; + parser \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml new file mode 100644 index 00000000000..d66c022d0a1 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml @@ -0,0 +1,328 @@ +Parser: + Title: User Management ASIM parser for Microsoft Security Event logs + Version: '0.1.0' + LastUpdated: 16 Jul, 2023 +Product: + Name: Microsoft +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Audit User Account Management + Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management +Description: | + This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema. +ParserName: ASimUserManagementMicrosoftSecurityEvent +EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: targetusername_has + Type: string + Default: '*' + - Name: actorusername_has + Type: string + Default: '*' + - Name: targetdomain_has_any + Type: dynamic + Default: dynamic([]) + - Name: anydomain_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + targetusername_has:string="*", + actorusername_has:string="", + targetdomain_has_any:dynamic=dynamic([]), + anydomain_has_any:dynamic=dynamic([]), + disabled:bool=false + ) { + let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string) + [ + "4720", "UserCreated", "UserCreated", "", + "4722", "UserEnabled", "UserModified", "", + "4723", "PasswordChanged", "UserModified", "", + "4724", "PasswordReset", "UserModified", "", + "4725", "UserDisabled", "UserModified", "", + "4726", "UserDeleted", "UserModified", "", + "4727", "GroupCreated", "GroupCreated", "Global Security Enabled", + "4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled", + "4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled", + "4730", "GroupDeleted", "GroupModified", "Global Security Enabled", + "4731", "GroupCreated", "GroupCreated", "Local Security Enabled", + "4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled", + "4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled", + "4734", "GroupDeleted", "GroupModified", "Local Security Enabled", + "4738", "UserModified", "UserModified", "", + "4740", "UserLocked", "UserModified", "", + "4744", "GroupCreated", "GroupCreated", "Local Distribution", + "4748", "GroupDeleted", "GroupModified", "Local Distribution", + "4749", "GroupCreated", "GroupCreated", "Global Distribution", + "4753", "GroupDeleted", "GroupModified", "Global Distribution", + "4754", "GroupCreated", "GroupCreated", "Universal Security Enabled", + "4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled", + "4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled", + "4758", "GroupDeleted", "GroupModified", "Universal Security Enabled", + "4759", "GroupCreated", "GroupCreated", "Universal Distribution", + "4763", "GroupDeleted", "GroupModified", "Universal Distribution", + "4767", "UserLocked", "UserModified", "", + "4781", "UserModified", "UserModified", "" + ]; + let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string) + [ + 'Machine', 'Machine', + 'User', 'Regular' + ]; + let UserEventID = toscalar( + EventIDLookup + | where not(disabled) + | where EventSubType in("UserCreated","UserModified") + | summarize make_set(EventID) + ); + let GroupEventID = toscalar( + EventIDLookup + | where not(disabled) + | where EventSubType in("GroupCreated","GroupModified") + | summarize make_set(EventID) + ); + union ( + WindowsEvent + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where EventID in(UserEventID) + | where (targetusername_has=='*' or (EventData has targetusername_has)) and + (actorusername_has=='*' or (EventData has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any))) + | extend + ActorOriginalUserType = tostring(EventData.AccountType), + ActorSessionId = tostring(EventData.SubjectLogonId), + ActorUserId = tostring(EventData.SubjectUserSid), + NewTargetUserName = tostring(EventData.NewTargetUserName), + OldTargetUserName = tostring(EventData.OldTargetUserName), + SubjectDomainName = tostring(EventData.SubjectDomainName), + SubjectUserName = tostring(EventData.SubjectUserName), + TargetDomain = tostring(EventData.TargetDomainName), + TargetUserId = tostring(EventData.TargetSid), + TargetUsername = tostring(EventData.TargetUserName), + EventMessage = tostring(EventData.Activity) + | where (targetusername_has=='*' or (TargetUsername has targetusername_has)) and + (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (TargetDomain has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (TargetDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any))) + | project-rename + NewPropertyValue = NewTargetUserName, + PreviousPropertyValue = OldTargetUserName + | extend + TargetUsername = coalesce(TargetUsername, PreviousPropertyValue) + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage + | extend + TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""), + TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername)) + ),( + SecurityEvent + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where EventID in(UserEventID) + | where (targetusername_has=='*' or (TargetUserName has targetusername_has)) and + (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any))) + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + TargetDomain = TargetDomainName, + TargetUserId = TargetSid, + TargetUsername = TargetUserName, + EventMessage = Activity + | parse-kv EventData as + ( + OldTargetUserName:string, + NewTargetUserName:string + ) + with (regex=@'{?([^<]*?)}?') + | project-rename + NewPropertyValue = NewTargetUserName, + PreviousPropertyValue = OldTargetUserName + | extend + TargetUsername = coalesce(TargetUsername, PreviousPropertyValue) + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage + | extend + TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""), + TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername)) + ),( + WindowsEvent + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where EventID in(GroupEventID) + | where (targetusername_has=='*' or (EventData has targetusername_has)) and + (actorusername_has=='*' or (EventData has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any))) + | extend + ActorOriginalUserType = tostring(EventData.AccountType), + ActorSessionId = tostring(EventData.SubjectLogonId), + ActorUserId = tostring(EventData.SubjectUserSid), + GroupDomain = tostring(EventData.TargetDomainName), + GroupId = tostring(EventData.TargetSid), + GroupName = tostring(EventData.TargetUserName), + MemberName = tostring(EventData.MemberName), + MemberSid = tostring(EventData.MemberSid), + NewTargetUserName = tostring(EventData.NewTargetUserName), + OldTargetUserName = tostring(EventData.OldTargetUserName), + SubjectDomainName = tostring(EventData.SubjectDomainName), + SubjectUserName = tostring(EventData.SubjectUserName), + EventMessage = tostring(EventData.Activity) + | where (targetusername_has=='*' or (NewTargetUserName has targetusername_has) or (OldTargetUserName has targetusername_has) or (MemberName has targetusername_has)) and + (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (GroupDomain has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (GroupDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any))) + | extend + GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)), + TargetUserId = MemberSid, + TargetUsername = MemberName + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ),( + SecurityEvent + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763)) + | where EventID in(GroupEventID) + | where (targetusername_has=='*' or (EventData has targetusername_has)) and + (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any))) + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + GroupDomain = TargetDomainName, + GroupId = TargetSid, + GroupName = TargetUserName, + EventMessage = Activity + | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)) + | parse-kv EventData as + ( + MemberName:string, + MemberSid:string + ) + with (regex=@'{?([^<]*?)}?') + | where (targetusername_has=='*' or (MemberName has targetusername_has)) + | project-rename + TargetUserId = MemberSid, + TargetUsername = MemberName + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ),( + SecurityEvent + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where EventID in (4744, 4748, 4749, 4753, 4759, 4763) + | where (targetusername_has=='*' or (EventData has targetusername_has)) and + (actorusername_has=='*' or (EventData has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any))) + | parse-kv EventData as + ( + TargetUserName:string, + TargetDomainName:string, + TargetSid:string, + SubjectUserSid:string, + AccountType:string, + SubjectLogonId:string, + SubjectDomainName:string, + SubjectUserName:string + ) + with (regex=@'{?([^<]*?)}?') + | where (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and + (array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and + (array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any))) + | project-rename + ActorOriginalUserType = AccountType, + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + GroupDomain = TargetDomainName, + GroupId = TargetSid, + GroupName = TargetUserName, + EventMessage = Activity + | extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)) + | parse-kv EventData as + ( + MemberName:string, + MemberSid:string + ) + with (regex=@'{?([^<]*?)}?') + | where (targetusername_has=='*' or (MemberName has targetusername_has)) + | project-rename + TargetUserId = MemberSid, + TargetUsername = MemberName + | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage + | extend + GroupIdType = iif(isnotempty(GroupId), "SID","") + ) + | lookup EventIDLookup on EventID + | extend UpdatedPropertyName = EventSubType + | invoke _ASIM_ResolveDvcFQDN ("Computer") + | lookup UserTypeLookup on ActorOriginalUserType + | extend + DvcId = coalesce(_ResourceId, SourceComputerId), + EventOriginalType = tostring(EventID) + | project-rename + EventUid = _ItemId + | extend + ActorDomain = SubjectDomainName, + ActorUserIdType = iif(isnotempty(ActorUserId), "SID",""), + ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), + Dvc = DvcHostname, + DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""), + DvcOs = "Windows", + EventCount = int(1), + EventEndTime = TimeGenerated, + EventProduct = 'Security Events', + EventResult = "Success", + EventSchema = "UserManagement", + EventSchemaVersion = "0.1.1", + EventSeverity = "Informational", + EventStartTime = TimeGenerated, + EventVendor = 'Microsoft', + Hostname = DvcHostname + | project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID + | extend + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), + GroupNameType = _ASIM_GetUsernameType(GroupName), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId), + User = ActorUsername + }; + parser ( + starttime = starttime, + endtime = endtime, + targetusername_has = targetusername_has, + actorusername_has = actorusername_has, + targetdomain_has = targetdomain_has, + anydomain_has = anydomain_has, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/README.md b/Parsers/ASimUserManagement/README.md new file mode 100644 index 00000000000..7ab17039b52 --- /dev/null +++ b/Parsers/ASimUserManagement/README.md @@ -0,0 +1,17 @@ +# Advanced Security Information Model (ASIM) UserManagement parsers + +This template deploys all ASIM UserManagement parsers. + +The Advanced Security Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimUserManagementARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimUserManagementARMgov) + +
\ No newline at end of file diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv new file mode 100644 index 00000000000..248da52e6d4 --- /dev/null +++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_IngestedLogs.csv @@ -0,0 +1,1100 @@ +TenantId,"TimeGenerated [UTC]",SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,SourceComputerId,EventOriginId,MG,"TimeCollected [UTC]",ManagementGroupName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationPackageName,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,InterfaceUuid,IpAddress,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonGuid,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,ParentProcessName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,Status,SubjectAccount,SubcategoryGuid,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,SubjectLogonId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubjectUserSid,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonGuid,TargetLogonId,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,Type,"_ResourceId" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:54:32.103 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Global Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1132 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Global Distribution Group + - +",4749,"4749 - A security-disabled global group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:55:00.946 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:24.078 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Universal Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1131 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4758,"4758 - A security-enabled universal group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:32.979 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Global Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1129 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4730,"4730 - A security-enabled global group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:53:37.641 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Domain Local Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1130 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4734,"4734 - A security-enabled local group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:54:00.934 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:55:06.584 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Domain Local Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1133 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Domain Local Distribution Group + - +",4744,"4744 - A security-disabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:55:40.696 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:55:27.233 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Universal Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1134 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Universal Distribution Group + - +",4759,"4759 - A security-disabled universal group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:56:00.765 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:56:38.773 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Universal Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1134 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4763,4763,"cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:57:01.215 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:56:53.397 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Global Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1132 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4753,"4753 - A security-disabled global group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:57:20.666 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:21:05.504 PM",OpsManager,"CL01\KustoKing",,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + CL01 + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-18 + DC1$ + KUSTOWORKS + 0x3e7 +",4740,"4740 - A user account was locked out.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:21:40.877 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\DC1$",,,,KUSTOWORKS,,0x3e7,,,"DC1$","S-1-5-18",,,"CL01\KustoKing",CL01,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:21:35.353 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0,,4767,"4767 - A user account was unlocked.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:22:00.754 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 10:04:11.926 PM",OpsManager,,,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13827,0," + Domain Local Distribution Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1133 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4748,"4748 - A security-disabled local group was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 10:04:41.113 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:02.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - + KustoKing + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,KustoKing,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:02.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKingRenamed + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:05.246 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - + - + - + KustoKingRenamed@kustoworks.com + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","KustoKingRenamed@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:14.626 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - + - + - + KustoKing@kustoworks.com + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:49.868 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","KustoKing@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:32:49.720 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKingRenamed + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - + KustoKingRenamed + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:44.543 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,KustoKingRenamed,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKingRenamed",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKingRenamed,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:32:49.720 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KustoKingRenamed + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:01:44.543 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:40.164 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Domain Local Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1135 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - + Domain Local Group + - +",4731,"4731 - A security-enabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Domain Local Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,"Domain Local Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:50.831 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Domain Local Group + Domain Local Group Renamed + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1135 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:51.602 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Domain Local Group Renamed + Domain Local Group Renamed + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1135 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/12/2023, 5:33:58.257 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Domain Local Group Renamed + Domain Local Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1135 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x118925a + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/12/2023, 6:02:00.581 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x118925a,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1135",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:21:50.103 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + Administrator RENAME + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-500 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - + Administrator RENAME + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:13.324 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"Administrator RENAME","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator RENAME",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,"Administrator RENAME",,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:21:50.103 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Administrator + Administrator RENAME + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-500 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:13.324 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:18.686 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + Administrator + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-500 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - + Administrator + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:17.058 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,Administrator,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,Administrator,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:18.686 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Administrator RENAME + Administrator + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-500 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:17.058 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:27.199 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + Administrator + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-500 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - + - + - + Administrator + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:22.418 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Administrator",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-500",,Administrator,,,,,,,,,,"-","-",Administrator,"-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:40.246 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + DHCP Users + DHCP Users This one too + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1103 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:42.539 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + DHCP Users This one too + DHCP Users This one too + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1103 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:56.509 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + DHCP Users This one too + DHCP Users + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1103 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/13/2023, 9:22:57.317 AM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + DHCP Users + DHCP Users + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1103 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x2e7842 + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/13/2023, 10:03:27.160 AM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x2e7842,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1103",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:16:18.919 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Global Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1129 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Global Security Group + - +",4727,"4727 - A security-enabled global group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:35.100 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Global Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:16:42.712 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Domain Local Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1130 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Domain Local Security Group + - +",4731,"4731 - A security-enabled local group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:36.761 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Domain Local Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:17:16.502 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + Universal Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1131 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + Universal Security Group + - +",4754,"4754 - A security-enabled universal group was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:37.476 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,"Universal Security Group",,,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:13.424 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Universal Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1131 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4756,"4756 - A member was added to a security-enabled universal group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:48.995 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:54.699 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Domain Local Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1130 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:59.260 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:08.575 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Universal Security Group + Universal Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1131 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:27.599 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:17.977 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Global Security Group + Global Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1129 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:27.599 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:23:26.421 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + Domain Local Security Group + Domain Local Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1130 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4781,"4781 - The name of an account was changed:","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:30:32.350 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,KUSTOWORKS,KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:26:38.577 PM",OpsManager,"KUSTOWORKS\KustoKing",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-1128 + KustoKing + KUSTOWORKS + 0x2069128 + - +",4723,"4723 - An attempt was made to change an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:12.374 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\KustoKing",,,,KUSTOWORKS,,0x2069128,,,KustoKing,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:26:55.391 PM",OpsManager,"KUSTOWORKS\KustoKing",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-1128 + KustoKing + KUSTOWORKS + 0x20b4ed4 + - +",4723,"4723 - An attempt was made to change an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:13.652 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\KustoKing",,,,KUSTOWORKS,,0x20b4ed4,,,KustoKing,"S-1-5-21-2496762881-1366215883-1809657155-1128",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:18.914 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Domain Local Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1130 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4733,"4733 - A member was removed from a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:32.194 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Domain Local Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1130",,"Domain Local Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:34.226 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Global Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1129 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4729,"4729 - A member was removed from a security-enabled global group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:36.703 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:28:42.429 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Universal Security Group123 + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1131 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4757,"4757 - A member was removed from a security-enabled universal group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:31:41.730 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Universal Security Group123",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1131",,"Universal Security Group123",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:09.450 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x210 + 0x211 + %%2080 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:10.346 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x210,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2080","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:09.450 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b +",4725,"4725 - A user account was disabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:10.346 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:31.375 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x211 + 0x210 + %%2048 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:11.034 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:06:31.375 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b +",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:13:11.034 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:14:04.954 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x3e6 + - + - + - + - + - + - + - + - + - + 7/8/2023 11:14:04 PM + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:14:49.641 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"7/8/2023 11:14:04 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:14:04.954 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x1574e03 +",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:14:49.641 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x1574e03,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:04:50.338 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1127 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:49.612 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1127",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.564 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + KustoKing + KustoKing + KustoKing@kustoworks.com + - + - + - + - + - + %%1794 + %%1794 + 513 + - + 0x0 + 0x15 + %%2080 %%2082 %%2084 + - + - + %%1793 +",4720,"4720 - A user account was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"%%1794",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,KustoKing,,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"%%1793",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x15,,,,,,,,,,,0x0,,,,,,,"%%1794",,,,513,,"-",,,,,"-",,,,,,,,,,,,,,,KustoKing,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2080 %%2082 %%2084","-","KustoKing@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.623 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x3e6 + - + - + - + - + - + - + - + - + - + 7/8/2023 11:05:36 PM + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"7/8/2023 11:05:36 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.623 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xf10ff1 +",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xf10ff1,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.628 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x15 + 0x211 + %%2050 %%2089 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x15,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2050 %%2089","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.630 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + - + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x211 + 0x210 + %%2048 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:05:36.630 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13824,0," + KustoKing + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1128 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b +",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:12:59.988 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\KustoKing",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1128",,KustoKing,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","7/8/2023, 9:18:25.378 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,13826,0," + CN=KustoKing,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1128 + Global Security Group + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1129 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0xa6a86b + - +",4728,"4728 - A member was added to a security-enabled global group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","7/8/2023, 9:29:54.046 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=KustoKing,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1128",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0xa6a86b,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\Global Security Group",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1129",,"Global Security Group",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:00:50.147 PM",OpsManager,"KUSTOWORKS\DC1$",Machine,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + gMSAMDIRead$ + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1105 + S-1-5-18 + DC1$ + KUSTOWORKS + 0x3e7 +",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:07:29.042 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\DC1$",,,,KUSTOWORKS,,0x3e7,,,"DC1$","S-1-5-18",,,"KUSTOWORKS\gMSAMDIRead$",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1105",,"gMSAMDIRead$",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:19.443 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + CN=panosuserid,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1114 + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4733,"4733 - A member was removed from a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:40:35.752 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=panosuserid,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1114",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:49.887 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + panosuserid + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1114 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:15.722 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\panosuserid",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1114",,panosuserid,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:40:51.846 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + kustotest + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1107 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4726,"4726 - A user account was deleted.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:15.722 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\kustotest",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1107",,kustotest,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.323 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - + subscriptionuser + subscriptionuser + subscriptionuser@kustoworks.com + - + - + - + - + - + %%1794 + %%1794 + 513 + - + 0x0 + 0x15 + %%2080 %%2082 %%2084 + - + - + %%1793 +",4720,"4720 - A user account was created.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"%%1794",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"%%1793",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x15,,,,,,,,,,,0x0,,,,,,,"%%1794",,,,513,,"-",,,,,"-",,,,,,,,,,,,,,,subscriptionuser,"-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2080 %%2082 %%2084","-","subscriptionuser@kustoworks.com","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.385 PM",OpsManager,"NT AUTHORITY\ANONYMOUS LOGON",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + - + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x3e6 + - + - + - + - + - + - + - + - + - + 4/20/2023 8:41:36 PM + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"4/20/2023 8:41:36 PM",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"NT AUTHORITY\ANONYMOUS LOGON",,,,"NT AUTHORITY",,0x3e6,,,"ANONYMOUS LOGON","S-1-5-7",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.385 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x7b029c +",4724,"4724 - An attempt was made to reset an account's password.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x7b029c,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.399 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + - + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,"-",,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,"-","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.401 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + - + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x15 + 0x211 + %%2050 %%2089 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x211,,,,,,,,,,,0x15,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2050 %%2089","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.402 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + - + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x211 + 0x210 + %%2048 + - + - + - +",4738,"4738 - A user account was changed.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,"-",,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,"-","-",,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,0x210,,,,,,,,,,,0x211,,,,,,,"-",,,,"-",,"-",,,,,"-",,,,,,,,,,,,,,,"-","-",,,,,,,,,,"-",,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,," %%2048","-","-","-",,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:41:36.402 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + subscriptionuser + KUSTOWORKS + S-1-5-21-2496762881-1366215883-1809657155-1126 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e +",4722,"4722 - A user account was enabled.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:41:55.737 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"KUSTOWORKS\subscriptionuser",KUSTOWORKS,,,,,,,,"S-1-5-21-2496762881-1366215883-1809657155-1126",,subscriptionuser,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + CN=WEF1,CN=Computers,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1108 + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=WEF1,CN=Computers,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1108",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + CN=subscriptionuser,CN=Users,DC=kustoworks,DC=com + S-1-5-21-2496762881-1366215883-1809657155-1126 + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"CN=subscriptionuser,CN=Users,DC=kustoworks,DC=com","S-1-5-21-2496762881-1366215883-1809657155-1126",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" +"01680ad8-1090-4dec-a395-f77b161a9051","4/20/2023, 6:42:08.586 PM",OpsManager,"KUSTOWORKS\Administrator",User,"DC1.kustoworks.com","Microsoft-Windows-Security-Auditing",Security,1,0," + - + S-1-5-20 + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-21-2496762881-1366215883-1809657155-500 + Administrator + KUSTOWORKS + 0x3aeb8e + - +",4732,"4732 - A member was added to a security-enabled local group.","cc046e6c-795c-47b2-a5ae-c9a0645e6d32","cc046e6c-795c-47b2-a5ae-c9a0645e6d33","00000000-0000-0000-0000-000000000001","4/20/2023, 6:42:35.733 PM","AOI-01680ad8-1090-4dec-a395-f77b161a9051",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-","S-1-5-20",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"-",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"KUSTOWORKS\Administrator",,,,KUSTOWORKS,,0x3aeb8e,,,Administrator,"S-1-5-21-2496762881-1366215883-1809657155-500",,,"Builtin\Event Log Readers",Builtin,,,,,,,,"S-1-5-32-573",,"Event Log Readers",,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/dc1" diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv new file mode 100644 index 00000000000..19191eedf65 --- /dev/null +++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_SecurityEvent_Schema.csv @@ -0,0 +1,226 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +TimeGenerated,1,"System.DateTime",datetime +SourceSystem,2,"System.String",string +Account,3,"System.String",string +AccountType,4,"System.String",string +Computer,5,"System.String",string +EventSourceName,6,"System.String",string +Channel,7,"System.String",string +Task,8,"System.Int32",int +Level,9,"System.String",string +EventData,10,"System.String",string +EventID,11,"System.Int32",int +Activity,12,"System.String",string +SourceComputerId,13,"System.String",string +EventOriginId,14,"System.String",string +MG,15,"System.String",string +TimeCollected,16,"System.DateTime",datetime +ManagementGroupName,17,"System.String",string +AccessList,18,"System.String",string +AccessMask,19,"System.String",string +AccessReason,20,"System.String",string +AccountDomain,21,"System.String",string +AccountExpires,22,"System.String",string +AccountName,23,"System.String",string +AccountSessionIdentifier,24,"System.String",string +AdditionalInfo,25,"System.String",string +AdditionalInfo2,26,"System.String",string +AllowedToDelegateTo,27,"System.String",string +Attributes,28,"System.String",string +AuditPolicyChanges,29,"System.String",string +AuditsDiscarded,30,"System.Int32",int +AuthenticationLevel,31,"System.Int32",int +AuthenticationPackageName,32,"System.String",string +AuthenticationProvider,33,"System.String",string +AuthenticationServer,34,"System.String",string +AuthenticationService,35,"System.Int32",int +AuthenticationType,36,"System.String",string +CACertificateHash,37,"System.String",string +CalledStationID,38,"System.String",string +CallerProcessId,39,"System.String",string +CallerProcessName,40,"System.String",string +CallingStationID,41,"System.String",string +CAPublicKeyHash,42,"System.String",string +CategoryId,43,"System.String",string +CertificateDatabaseHash,44,"System.String",string +ClassId,45,"System.String",string +ClassName,46,"System.String",string +ClientAddress,47,"System.String",string +ClientIPAddress,48,"System.String",string +ClientName,49,"System.String",string +CommandLine,50,"System.String",string +CompatibleIds,51,"System.String",string +DCDNSName,52,"System.String",string +DeviceDescription,53,"System.String",string +DeviceId,54,"System.String",string +DisplayName,55,"System.String",string +Disposition,56,"System.String",string +DomainBehaviorVersion,57,"System.String",string +DomainName,58,"System.String",string +DomainPolicyChanged,59,"System.String",string +DomainSid,60,"System.String",string +EAPType,61,"System.String",string +ElevatedToken,62,"System.String",string +ErrorCode,63,"System.Int32",int +ExtendedQuarantineState,64,"System.String",string +FailureReason,65,"System.String",string +FileHash,66,"System.String",string +FilePath,67,"System.String",string +FilePathNoUser,68,"System.String",string +Filter,69,"System.String",string +ForceLogoff,70,"System.String",string +Fqbn,71,"System.String",string +FullyQualifiedSubjectMachineName,72,"System.String",string +FullyQualifiedSubjectUserName,73,"System.String",string +GroupMembership,74,"System.String",string +HandleId,75,"System.String",string +HardwareIds,76,"System.String",string +HomeDirectory,77,"System.String",string +HomePath,78,"System.String",string +ImpersonationLevel,79,"System.String",string +InterfaceUuid,80,"System.String",string +IpAddress,81,"System.String",string +IpPort,82,"System.String",string +KeyLength,83,"System.Int32",int +LmPackageName,84,"System.String",string +LocationInformation,85,"System.String",string +LockoutDuration,86,"System.String",string +LockoutObservationWindow,87,"System.String",string +LockoutThreshold,88,"System.String",string +LoggingResult,89,"System.String",string +LogonGuid,90,"System.String",string +LogonHours,91,"System.String",string +LogonID,92,"System.String",string +LogonProcessName,93,"System.String",string +LogonType,94,"System.Int32",int +LogonTypeName,95,"System.String",string +MachineAccountQuota,96,"System.String",string +MachineInventory,97,"System.String",string +MachineLogon,98,"System.String",string +MandatoryLabel,99,"System.String",string +MaxPasswordAge,100,"System.String",string +MemberName,101,"System.String",string +MemberSid,102,"System.String",string +MinPasswordAge,103,"System.String",string +MinPasswordLength,104,"System.String",string +MixedDomainMode,105,"System.String",string +NASIdentifier,106,"System.String",string +NASIPv4Address,107,"System.String",string +NASIPv6Address,108,"System.String",string +NASPort,109,"System.String",string +NASPortType,110,"System.String",string +NetworkPolicyName,111,"System.String",string +NewDate,112,"System.String",string +NewMaxUsers,113,"System.String",string +NewProcessId,114,"System.String",string +NewProcessName,115,"System.String",string +NewRemark,116,"System.String",string +NewShareFlags,117,"System.String",string +NewTime,118,"System.String",string +NewUacValue,119,"System.String",string +NewValue,120,"System.String",string +NewValueType,121,"System.String",string +ObjectName,122,"System.String",string +ObjectServer,123,"System.String",string +ObjectType,124,"System.String",string +ObjectValueName,125,"System.String",string +OemInformation,126,"System.String",string +OldMaxUsers,127,"System.String",string +OldRemark,128,"System.String",string +OldShareFlags,129,"System.String",string +OldUacValue,130,"System.String",string +OldValue,131,"System.String",string +OldValueType,132,"System.String",string +OperationType,133,"System.String",string +PackageName,134,"System.String",string +ParentProcessName,135,"System.String",string +PasswordHistoryLength,136,"System.String",string +PasswordLastSet,137,"System.String",string +PasswordProperties,138,"System.String",string +PreviousDate,139,"System.String",string +PreviousTime,140,"System.String",string +PrimaryGroupId,141,"System.String",string +PrivateKeyUsageCount,142,"System.String",string +PrivilegeList,143,"System.String",string +Process,144,"System.String",string +ProcessId,145,"System.String",string +ProcessName,146,"System.String",string +Properties,147,"System.String",string +ProfilePath,148,"System.String",string +ProtocolSequence,149,"System.String",string +ProxyPolicyName,150,"System.String",string +QuarantineHelpURL,151,"System.String",string +QuarantineSessionID,152,"System.String",string +QuarantineSessionIdentifier,153,"System.String",string +QuarantineState,154,"System.String",string +QuarantineSystemHealthResult,155,"System.String",string +RelativeTargetName,156,"System.String",string +RemoteIpAddress,157,"System.String",string +RemotePort,158,"System.String",string +Requester,159,"System.String",string +RequestId,160,"System.String",string +RestrictedAdminMode,161,"System.String",string +RowsDeleted,162,"System.String",string +SamAccountName,163,"System.String",string +ScriptPath,164,"System.String",string +SecurityDescriptor,165,"System.String",string +ServiceAccount,166,"System.String",string +ServiceFileName,167,"System.String",string +ServiceName,168,"System.String",string +ServiceStartType,169,"System.Int32",int +ServiceType,170,"System.String",string +SessionName,171,"System.String",string +ShareLocalPath,172,"System.String",string +ShareName,173,"System.String",string +SidHistory,174,"System.String",string +Status,175,"System.String",string +SubjectAccount,176,"System.String",string +SubcategoryGuid,177,"System.String",string +SubcategoryId,178,"System.String",string +Subject,179,"System.String",string +SubjectDomainName,180,"System.String",string +SubjectKeyIdentifier,181,"System.String",string +SubjectLogonId,182,"System.String",string +SubjectMachineName,183,"System.String",string +SubjectMachineSID,184,"System.String",string +SubjectUserName,185,"System.String",string +SubjectUserSid,186,"System.String",string +SubStatus,187,"System.String",string +TableId,188,"System.String",string +TargetAccount,189,"System.String",string +TargetDomainName,190,"System.String",string +TargetInfo,191,"System.String",string +TargetLinkedLogonId,192,"System.String",string +TargetLogonGuid,193,"System.String",string +TargetLogonId,194,"System.String",string +TargetOutboundDomainName,195,"System.String",string +TargetOutboundUserName,196,"System.String",string +TargetServerName,197,"System.String",string +TargetSid,198,"System.String",string +TargetUser,199,"System.String",string +TargetUserName,200,"System.String",string +TargetUserSid,201,"System.String",string +TemplateContent,202,"System.String",string +TemplateDSObjectFQDN,203,"System.String",string +TemplateInternalName,204,"System.String",string +TemplateOID,205,"System.String",string +TemplateSchemaVersion,206,"System.String",string +TemplateVersion,207,"System.String",string +TokenElevationType,208,"System.String",string +TransmittedServices,209,"System.String",string +UserAccountControl,210,"System.String",string +UserParameters,211,"System.String",string +UserPrincipalName,212,"System.String",string +UserWorkstations,213,"System.String",string +VirtualAccount,214,"System.String",string +VendorIds,215,"System.String",string +Workstation,216,"System.String",string +WorkstationName,217,"System.String",string +PartitionKey,218,"System.String",string +RowKey,219,"System.String",string +StorageAccount,220,"System.String",string +AzureDeploymentID,221,"System.String",string +AzureTableName,222,"System.String",string +Type,223,"System.String",string +"_ResourceId",224,"System.String",string diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv new file mode 100644 index 00000000000..33fcd8be1ef --- /dev/null +++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_IngestedLogs.csv @@ -0,0 +1,58 @@ +TenantId,SourceSystem,"TimeGenerated [UTC]",Provider,Channel,Computer,Task,EventLevel,EventLevelName,Data,EventID,ManagementGroupName,SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,EventData,RawEventData,EventOriginId,"TimeCreated [UTC]",Type,"_ResourceId" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:06:44.076 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4758,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866309,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:08:23.547 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4730,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866731,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:08:23.547 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4734,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309866747,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:21:23.377 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4753,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868586,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1132""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:20:43.552 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4763,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309868508,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1134""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:35:09.027 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4748,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309873533,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1133""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:04.087 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4749,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868142,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1132"",""SamAccountName"":""Global Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:04.087 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4744,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309868230,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1133"",""SamAccountName"":""Domain Local Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:19:43.963 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13827,0,LogAlways,,4759,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309868281,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Distribution Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1134"",""SamAccountName"":""Universal Distribution Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:53:24.236 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4740,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309889481,"{""SubjectUserSid"":""S-1-5-18"",""SubjectUserName"":""DC1$"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x3e7"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""CL01"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 6:53:24.267 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4767,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309889911,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:32:49.720 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922678,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKingRenamed"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKingRenamed"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:32:49.720 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922679,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""OldTargetUserName"":""KustoKing"",""NewTargetUserName"":""KustoKingRenamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:02.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922852,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKing"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:02.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922853,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""OldTargetUserName"":""KustoKingRenamed"",""NewTargetUserName"":""KustoKing""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:05.246 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922885,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""KustoKingRenamed@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:14.626 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309922965,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""SidHistory"":""-"",""Dummy"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""KustoKing@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:40.164 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4731,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2744,2309923302,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""SamAccountName"":""Domain Local Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:50.831 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2744,2309923379,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group"",""NewTargetUserName"":""Domain Local Group Renamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:51.602 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,2736,2309923395,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group Renamed"",""NewTargetUserName"":""Domain Local Group Renamed""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/12/2023, 5:33:58.257 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,732,1808,2309923465,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x118925a"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1135"",""OldTargetUserName"":""Domain Local Group Renamed"",""NewTargetUserName"":""Domain Local Group""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309956902,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator RENAME"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""Administrator RENAME"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309956903,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""OldTargetUserName"":""Administrator"",""NewTargetUserName"":""Administrator RENAME""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957090,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""Administrator"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.052 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957091,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""OldTargetUserName"":""Administrator RENAME"",""NewTargetUserName"":""Administrator""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309957184,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetUserName"":""Administrator"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""Dummy"":""-"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""Administrator"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3092,2309957307,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users"",""NewTargetUserName"":""DHCP Users This one too""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,1940,2309957332,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users This one too"",""NewTargetUserName"":""DHCP Users This one too""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3096,2309957432,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users This one too"",""NewTargetUserName"":""DHCP Users""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/17/2023, 12:11:36.068 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,704,3092,2309957436,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2e7842"",""TargetDomainName"":""KUSTOWORKS"",""PrivilegeList"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1103"",""OldTargetUserName"":""DHCP Users"",""NewTargetUserName"":""DHCP Users""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:31.375 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309842183,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x211"",""NewUacValue"":""0x210"",""UserAccountControl"":"" \t\t%%2048"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:31.375 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4722,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309842184,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:04:50.338 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4726,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841463,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1127""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.564 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4720,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841963,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""KustoKing"",""DisplayName"":""KustoKing"",""UserPrincipalName"":""KustoKing@kustoworks.com"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""%%1794"",""AccountExpires"":""%%1794"",""PrimaryGroupId"":""513"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x0"",""NewUacValue"":""0x15"",""UserAccountControl"":"" \t\t%%2080 \t\t%%2082 \t\t%%2084"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""%%1793""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.623 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841974,"{""SubjectUserSid"":""S-1-5-7"",""SubjectUserName"":""ANONYMOUS LOGON"",""SubjectDomainName"":""NT AUTHORITY"",""SubjectLogonId"":""0x3e6"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""7/8/2023 11:05:36 PM"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.623 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4724,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309841975,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xf10ff1"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.628 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841980,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x15"",""NewUacValue"":""0x211"",""UserAccountControl"":"" \t\t%%2050 \t\t%%2089"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.630 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841983,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x211"",""NewUacValue"":""0x210"",""UserAccountControl"":"" \t\t%%2048"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:05:36.630 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4722,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309841984,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:54.699 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4732,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3108,2309847066,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:08.575 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847774,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""OldTargetUserName"":""Universal Security Group"",""NewTargetUserName"":""Universal Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:17.977 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847804,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""OldTargetUserName"":""Global Security Group"",""NewTargetUserName"":""Global Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:26:38.577 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4723,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8010000000000000,,736,2124,2309848860,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SubjectUserName"":""KustoKing"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x2069128"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:23:26.421 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4781,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309847851,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""OldTargetUserName"":""Domain Local Security Group"",""NewTargetUserName"":""Domain Local Security Group123""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:26:55.391 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4723,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8010000000000000,,736,3096,2309848912,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SubjectUserName"":""KustoKing"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x20b4ed4"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:09.450 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309842115,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""-"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""0x210"",""NewUacValue"":""0x211"",""UserAccountControl"":"" \t\t%%2080"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:06:09.450 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4725,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309842116,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:18.914 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4733,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849113,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:34.226 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4729,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849170,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:28:42.429 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4757,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309849211,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group123"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:14:04.954 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4738,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309845716,"{""SubjectUserSid"":""S-1-5-7"",""SubjectUserName"":""ANONYMOUS LOGON"",""SubjectDomainName"":""NT AUTHORITY"",""SubjectLogonId"":""0x3e6"",""PrivilegeList"":""-"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""Dummy"":""-"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128"",""SamAccountName"":""-"",""DisplayName"":""-"",""UserPrincipalName"":""-"",""HomeDirectory"":""-"",""HomePath"":""-"",""ScriptPath"":""-"",""ProfilePath"":""-"",""UserWorkstations"":""-"",""PasswordLastSet"":""7/8/2023 11:14:04 PM"",""AccountExpires"":""-"",""PrimaryGroupId"":""-"",""AllowedToDelegateTo"":""-"",""OldUacValue"":""-"",""NewUacValue"":""-"",""UserAccountControl"":""-"",""UserParameters"":""-"",""SidHistory"":""-"",""LogonHours"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:14:04.954 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13824,0,LogAlways,,4724,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309845717,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0x1574e03"",""TargetUserName"":""KustoKing"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:16:42.712 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4731,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309846649,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Domain Local Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1130"",""SamAccountName"":""Domain Local Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:17:16.502 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4754,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309846735,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""SamAccountName"":""Universal Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:16:18.919 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4727,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3108,2309846566,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""SamAccountName"":""Global Security Group"",""SidHistory"":""-""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:13.424 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4756,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,3096,2309846947,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Universal Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1131"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" +"01680ad8-1090-4dec-a395-f77b161a9051",OpsManager,"7/8/2023, 9:18:25.378 PM","Microsoft-Windows-Security-Auditing",Security,"DC1.kustoworks.com",13826,0,LogAlways,,4728,"AOI-01680ad8-1090-4dec-a395-f77b161a9051","N/A",0,0,0x8020000000000000,,736,2124,2309847001,"{""SubjectUserSid"":""S-1-5-21-2496762881-1366215883-1809657155-500"",""SubjectUserName"":""Administrator"",""SubjectDomainName"":""KUSTOWORKS"",""SubjectLogonId"":""0xa6a86b"",""PrivilegeList"":""-"",""TargetUserName"":""Global Security Group"",""TargetDomainName"":""KUSTOWORKS"",""TargetSid"":""S-1-5-21-2496762881-1366215883-1809657155-1129"",""MemberName"":""CN=KustoKing,CN=Users,DC=kustoworks,DC=com"",""MemberSid"":""S-1-5-21-2496762881-1366215883-1809657155-1128""}",,"b6e34ebb-bc90-4c30-9e7b-8a9feae2eec1",,WindowsEvent,"/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/rg-sentinel/providers/microsoft.hybridcompute/machines/wef1" diff --git a/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv new file mode 100644 index 00000000000..0da0648cc94 --- /dev/null +++ b/Sample Data/ASIM/Microsoft_Windows_UserManagement_WindowsEvent_Schema.csv @@ -0,0 +1,27 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +TimeGenerated,2,"System.DateTime",datetime +Provider,3,"System.String",string +Channel,4,"System.String",string +Computer,5,"System.String",string +Task,6,"System.Int32",int +EventLevel,7,"System.Int32",int +EventLevelName,8,"System.String",string +Data,9,"System.Object",dynamic +EventID,10,"System.Int32",int +ManagementGroupName,11,"System.String",string +SystemUserId,12,"System.String",string +Version,13,"System.Int32",int +Opcode,14,"System.String",string +Keywords,15,"System.String",string +Correlation,16,"System.String",string +SystemProcessId,17,"System.Int32",int +SystemThreadId,18,"System.Int32",int +EventRecordId,19,"System.String",string +EventData,20,"System.Object",dynamic +RawEventData,21,"System.String",string +EventOriginId,22,"System.String",string +TimeCreated,23,"System.DateTime",datetime +Type,24,"System.String",string +"_ResourceId",25,"System.String",string