SimuLand Golden SAML Dataset
Network Data Source -
Network Data Labeled -
Host Data Source Events from AAD, MS Defender, Office and Windows
Host Data Labeled Yes, in the sense that everything is malicious
   
Overall Setting Enterprise IT
OS Types Windows
Number of Machines n/a
Total Runtime n/a
Year of Collection 2021
Attack Categories Impersonation
Data Extraction
Benign Activity n/a
   
Packed Size n/a
Unpacked Size <1 MB
Download Link see below

Overview

Dataset representing a threat actor stealing the Active Directory Federation Services (AD FS) token signing certificate from an on-premise AD FS server to perform a short sequence of attacks.

Environment

The environment where attacks took place is an on-premise Active Directory (AD) network synced with Azure AD, with more details available in the links below.

Activity

The stolen certificate is used to sign a new SAML (Security Assertion Markup Language, an open standard for exchanging authentication and authorization between parties) token, impersonate a privileged user and then collect mail data using the Microsoft Graph API. There is no information regarding simulated or real user behavior.

Contained Data

There are four types of events collected:

  • Azure Active Directory (AAD) audit events
  • Microsoft 365 Defender events
  • OfficeActivity events (activity within the MS 365 suite)
  • Windows events

However, the amount of data is minimal, which is also why they are included in their entirety in the data section below. Labels are not provided, presumably expecting all logs to be considered malicious.

Data Example

AAD audit events

{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"Azure AD","TimeGenerated":"2021-08-02T13:29:25.983Z","ResourceId":"/tenants/00000000-0000-0000-0000-000000000000/providers/Microsoft.aadiam","OperationName":"Update application – Certificates and secrets management ","OperationVersion":"1.0","Category":"ApplicationManagement","ResultSignature":"None","CorrelationId":"10065ffb-8199-48bc-8ff5-912cb5b8295a","Resource":"Microsoft.aadiam","ResourceGroup":"Microsoft.aadiam","Level":"4","AdditionalDetails":"[{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971\"}]","Id":"Directory_10065ffb-8199-48bc-8ff5-912cb5b8295a_AUMVX_13992832","InitiatedBy":"{\"user\":{\"id\":\"aead923d-498b-4f64-a66c-2af91447a8b6\",\"displayName\":null,\"userPrincipalName\":\"pgustavo@simulandlabs.com\",\"ipAddress\":null,\"roles\":[]}}","LoggedByService":"Core Directory","Result":"success","TargetResources":"[{\"id\":\"11b49e19-2326-4be6-93cb-7f37439bbd81\",\"displayName\":\"SimuLandApp\",\"type\":\"Application\",\"modifiedProperties\":[{\"displayName\":\"KeyDescription\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"[KeyIdentifier=59eaeebc-8a6b-44a6-9f24-7d55e64420c9,KeyType=Password,KeyUsage=Verify,DisplayName=SimuLandCreds]\\\"]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"KeyDescription\\\"\"}],\"administrativeUnits\":[]}]","AADTenantId":"00000000-0000-0000-0000-000000000000","ActivityDisplayName":"Update application – Certificates and secrets management ","ActivityDateTime":"2021-08-02T13:29:25.983Z","AADOperationType":"Update","Type":"AuditLogs","UserAgent":"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971","target":"{\"id\":\"11b49e19-2326-4be6-93cb-7f37439bbd81\",\"displayName\":\"SimuLandApp\",\"type\":\"Application\",\"modifiedProperties\":[{\"displayName\":\"KeyDescription\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"[KeyIdentifier=59eaeebc-8a6b-44a6-9f24-7d55e64420c9,KeyType=Password,KeyUsage=Verify,DisplayName=SimuLandCreds]\\\"]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"KeyDescription\\\"\"}],\"administrativeUnits\":[]}","targetDisplayName":"SimuLandApp","targetId":"11b49e19-2326-4be6-93cb-7f37439bbd81","targetType":"Application","keyEvents":"{\"displayName\":\"KeyDescription\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"[KeyIdentifier=59eaeebc-8a6b-44a6-9f24-7d55e64420c9,KeyType=Password,KeyUsage=Verify,DisplayName=SimuLandCreds]\\\"]\"}","InitiatingUserOrApp":"pgustavo@simulandlabs.com"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"Azure AD","TimeGenerated":"2021-08-02T13:29:25.983Z","ResourceId":"/tenants/00000000-0000-0000-0000-000000000000/providers/Microsoft.aadiam","OperationName":"Update application – Certificates and secrets management ","OperationVersion":"1.0","Category":"ApplicationManagement","ResultSignature":"None","CorrelationId":"10065ffb-8199-48bc-8ff5-912cb5b8295a","Resource":"Microsoft.aadiam","ResourceGroup":"Microsoft.aadiam","Level":"4","AdditionalDetails":"[{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971\"}]","Id":"Directory_10065ffb-8199-48bc-8ff5-912cb5b8295a_AUMVX_13992832","InitiatedBy":"{\"user\":{\"id\":\"aead923d-498b-4f64-a66c-2af91447a8b6\",\"displayName\":null,\"userPrincipalName\":\"pgustavo@simulandlabs.com\",\"ipAddress\":null,\"roles\":[]}}","LoggedByService":"Core Directory","Result":"success","TargetResources":"[{\"id\":\"11b49e19-2326-4be6-93cb-7f37439bbd81\",\"displayName\":\"SimuLandApp\",\"type\":\"Application\",\"modifiedProperties\":[{\"displayName\":\"KeyDescription\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"[KeyIdentifier=59eaeebc-8a6b-44a6-9f24-7d55e64420c9,KeyType=Password,KeyUsage=Verify,DisplayName=SimuLandCreds]\\\"]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"KeyDescription\\\"\"}],\"administrativeUnits\":[]}]","AADTenantId":"00000000-0000-0000-0000-000000000000","ActivityDisplayName":"Update application – Certificates and secrets management ","ActivityDateTime":"2021-08-02T13:29:25.983Z","AADOperationType":"Update","Type":"AuditLogs","UserAgent":"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971","target":"{\"id\":\"11b49e19-2326-4be6-93cb-7f37439bbd81\",\"displayName\":\"SimuLandApp\",\"type\":\"Application\",\"modifiedProperties\":[{\"displayName\":\"KeyDescription\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"[KeyIdentifier=59eaeebc-8a6b-44a6-9f24-7d55e64420c9,KeyType=Password,KeyUsage=Verify,DisplayName=SimuLandCreds]\\\"]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"KeyDescription\\\"\"}],\"administrativeUnits\":[]}","targetDisplayName":"SimuLandApp","targetId":"11b49e19-2326-4be6-93cb-7f37439bbd81","targetType":"Application","keyEvents":"{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"KeyDescription\\\"\"}","InitiatingUserOrApp":"pgustavo@simulandlabs.com"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"Azure AD","TimeGenerated":"2021-08-02T13:25:12.246Z","ResourceId":"/tenants/00000000-0000-0000-0000-000000000000/providers/Microsoft.aadiam","OperationName":"Update application","OperationVersion":"1.0","Category":"ApplicationManagement","ResultSignature":"None","CorrelationId":"ae69aa7a-e9b7-4066-84f2-58582994d8cb","Resource":"Microsoft.aadiam","ResourceGroup":"Microsoft.aadiam","Level":"4","AdditionalDetails":"[{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971\"}]","Id":"Directory_ae69aa7a-e9b7-4066-84f2-58582994d8cb_7H1JL_8584070","InitiatedBy":"{\"user\":{\"id\":\"aead923d-498b-4f64-a66c-2af91447a8b6\",\"displayName\":null,\"userPrincipalName\":\"pgustavo@simulandlabs.com\",\"ipAddress\":null,\"roles\":[]}}","LoggedByService":"Core Directory","Result":"success","TargetResources":"[{\"id\":\"11b49e19-2326-4be6-93cb-7f37439bbd81\",\"displayName\":\"SimuLandApp\",\"type\":\"Application\",\"modifiedProperties\":[{\"displayName\":\"RequiredResourceAccess\",\"oldValue\":\"[{\\\"ResourceAppId\\\":\\\"00000003-0000-0000-c000-000000000000\\\",\\\"RequiredAppPermissions\\\":[{\\\"EntitlementId\\\":\\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\\"DirectAccessGrant\\\":false,\\\"ImpersonationAccessGrants\\\":[20]}],\\\"EncodingVersion\\\":1}]\",\"newValue\":\"[{\\\"ResourceAppId\\\":\\\"00000003-0000-0000-c000-000000000000\\\",\\\"RequiredAppPermissions\\\":[{\\\"EntitlementId\\\":\\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\\"DirectAccessGrant\\\":false,\\\"ImpersonationAccessGrants\\\":[20]},{\\\"EntitlementId\\\":\\\"024d486e-b451-40bb-833d-3e66d98c5c73\\\",\\\"DirectAccessGrant\\\":false,\\\"ImpersonationAccessGrants\\\":[20]}],\\\"EncodingVersion\\\":1}]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"RequiredResourceAccess\\\"\"}],\"administrativeUnits\":[]}]","AADTenantId":"00000000-0000-0000-0000-000000000000","ActivityDisplayName":"Update application","ActivityDateTime":"2021-08-02T13:25:12.246Z","AADOperationType":"Update","Type":"Application","UserAgent":"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971","InitiatingUser":"pgustavo@simulandlabs.com","ModifiedApplication":"SimuLandApp","ModifiedApplicationObjectId":"11b49e19-2326-4be6-93cb-7f37439bbd81","ModifiedPropertyName":"RequiredResourceAccess","ResourceAppId":"00000003-0000-0000-c000-000000000000"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"Azure AD","TimeGenerated":"2021-08-02T13:27:20.017Z","ResourceId":"/tenants/00000000-0000-0000-0000-000000000000/providers/Microsoft.aadiam","OperationName":"Add delegated permission grant","OperationVersion":"1.0","Category":"ApplicationManagement","ResultSignature":"None","CorrelationId":"630d7f0c-acc4-4596-85ab-7e5d839b4291","Resource":"Microsoft.aadiam","ResourceGroup":"Microsoft.aadiam","Level":"4","AdditionalDetails":"[{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971\"}]","Id":"Directory_630d7f0c-acc4-4596-85ab-7e5d839b4291_9VRQI_37762000","InitiatedBy":"{\"user\":{\"id\":\"aead923d-498b-4f64-a66c-2af91447a8b6\",\"displayName\":null,\"userPrincipalName\":\"pgustavo@simulandlabs.com\",\"ipAddress\":null,\"roles\":[]}}","LoggedByService":"Core Directory","Result":"success","TargetResources":"[{\"id\":\"401dd906-ea4f-4d41-b762-7e936d222368\",\"displayName\":\"Microsoft Graph\",\"type\":\"ServicePrincipal\",\"modifiedProperties\":[{\"displayName\":\"DelegatedPermissionGrant.Scope\",\"oldValue\":\"\\\"User.Read\\\"\",\"newValue\":\"\\\"User.Read Mail.ReadWrite\\\"\"},{\"displayName\":\"DelegatedPermissionGrant.ConsentType\",\"oldValue\":\"\\\"AllPrincipals\\\"\",\"newValue\":\"\\\"AllPrincipals\\\"\"},{\"displayName\":\"ServicePrincipal.ObjectID\",\"oldValue\":null,\"newValue\":\"\\\"0d2f5969-011b-460d-ac74-3291d227d49f\\\"\"},{\"displayName\":\"ServicePrincipal.DisplayName\",\"oldValue\":null,\"newValue\":null},{\"displayName\":\"ServicePrincipal.AppId\",\"oldValue\":null,\"newValue\":null},{\"displayName\":\"ServicePrincipal.Name\",\"oldValue\":null,\"newValue\":null},{\"displayName\":\"TargetId.ServicePrincipalNames\",\"oldValue\":null,\"newValue\":\"\\\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://canary.graph.microsoft.com/;https://graph.microsoft.us/;https://dod-graph.microsoft.us/\\\"\"}],\"administrativeUnits\":[]},{\"id\":\"0d2f5969-011b-460d-ac74-3291d227d49f\",\"displayName\":null,\"type\":\"ServicePrincipal\",\"modifiedProperties\":[],\"administrativeUnits\":[]}]","AADTenantId":"00000000-0000-0000-0000-000000000000","ActivityDisplayName":"Add delegated permission grant","ActivityDateTime":"2021-08-02T13:27:20.017Z","AADOperationType":"Assign","Type":"ServicePrincipal","UserAgent":"Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1971","InitiatingUser":"pgustavo@simulandlabs.com","DisplayName":"DelegatedPermissionGrant.Scope","Permissions":"User.Read Mail.ReadWrite","PermissionsAddedTo":"Microsoft Graph"}

Microsoft 365 Defender events

{"Timestamp":"2021-08-02T13:11:39.7724491Z","DeviceId":"00000000-0000-0000-0000-000000000000","DeviceName":"adfs01.simulandlabs.com","ActionType":"LdapSearch","FileName":"","FolderPath":"","SHA1":"","SHA256":"","MD5":"","FileSize":null,"AccountDomain":"","AccountName":"","AccountSid":"","RemoteUrl":"","RemoteDeviceName":"","ProcessId":null,"ProcessCommandLine":"","ProcessCreationTime":null,"ProcessTokenElevation":"","LogonId":null,"RegistryKey":"","RegistryValueName":"","RegistryValueData":"","RemoteIP":"","RemotePort":null,"LocalIP":"","LocalPort":null,"FileOriginUrl":"","FileOriginIP":"","InitiatingProcessSHA1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","InitiatingProcessSHA256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","InitiatingProcessMD5":"7353f60b1739074eb17c5f4dddefe239","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":448000,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5692,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2021-08-02T10:45:40.0664337Z","InitiatingProcessAccountDomain":"simulandlabs","InitiatingProcessAccountName":"wardog","InitiatingProcessAccountSid":"S-1-5-21-2490359158-13971675-3780420524-500","InitiatingProcessAccountUpn":"wardog@simulandlabs.com","InitiatingProcessAccountObjectId":"","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.1","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessParentId":820,"InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentCreationTime":"2021-06-24T04:49:41.1741012Z","InitiatingProcessLogonId":1357805418,"ReportId_long":113597,"ReportId_string":"","AppGuardContainerId":"","AdditionalFields_string":"{\"AttributeList\":[\"objectClass\"],\"DistinguishedName\":\"CN=596f0e13-7a4b-49a1-a106-0cbcba66b065,CN=ADFS,CN=Microsoft,CN=Program Data,DC=simulandlabs,DC=com\",\"ScopeOfSearch\":\"Base\",\"SearchFilter\":\"(objectClass=*)\"}","AdditionalFields_dynamic":null,"Application":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountUpn":"","AccountObjectId":"","AccountDisplayName":"","IPAddress":"","Port":null,"Location":"","ISP":"","ApplicationId":null,"IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IsAnonymousProxy":null,"CountryCode":"","City":"","UserAgent":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","RawEventData":null,"rawData":null,"AppId":"","OAuthAppId":""}
{"Timestamp":"2021-08-02T13:11:39.7747609Z","DeviceId":"00000000-0000-0000-0000-000000000000","DeviceName":"adfs01.simulandlabs.com","ActionType":"LdapSearch","FileName":"","FolderPath":"","SHA1":"","SHA256":"","MD5":"","FileSize":null,"AccountDomain":"","AccountName":"","AccountSid":"","RemoteUrl":"","RemoteDeviceName":"","ProcessId":null,"ProcessCommandLine":"","ProcessCreationTime":null,"ProcessTokenElevation":"","LogonId":null,"RegistryKey":"","RegistryValueName":"","RegistryValueData":"","RemoteIP":"","RemotePort":null,"LocalIP":"","LocalPort":null,"FileOriginUrl":"","FileOriginIP":"","InitiatingProcessSHA1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","InitiatingProcessSHA256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","InitiatingProcessMD5":"7353f60b1739074eb17c5f4dddefe239","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":448000,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5692,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2021-08-02T10:45:40.0664337Z","InitiatingProcessAccountDomain":"simulandlabs","InitiatingProcessAccountName":"wardog","InitiatingProcessAccountSid":"S-1-5-21-2490359158-13971675-3780420524-500","InitiatingProcessAccountUpn":"wardog@simulandlabs.com","InitiatingProcessAccountObjectId":"","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.1","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessParentId":820,"InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentCreationTime":"2021-06-24T04:49:41.1741012Z","InitiatingProcessLogonId":1357805418,"ReportId_long":113598,"ReportId_string":"","AppGuardContainerId":"","AdditionalFields_string":"{\"AttributeList\":[\"thumbnailphoto\"],\"DistinguishedName\":\"CN=596f0e13-7a4b-49a1-a106-0cbcba66b065,CN=ADFS,CN=Microsoft,CN=Program Data,DC=simulandlabs,DC=com\",\"ScopeOfSearch\":\"SubTree\",\"SearchFilter\":\"(\u0026(objectclass=contact)(!name=CryptoPolicy)(ThumbnailPhoto=*))\"}","AdditionalFields_dynamic":null,"Application":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountUpn":"","AccountObjectId":"","AccountDisplayName":"","IPAddress":"","Port":null,"Location":"","ISP":"","ApplicationId":null,"IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IsAnonymousProxy":null,"CountryCode":"","City":"","UserAgent":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","RawEventData":null,"rawData":null,"AppId":"","OAuthAppId":""}
{"Timestamp":"2021-08-02T13:11:53.5836949Z","DeviceId":"00000000-0000-0000-0000-000000000000","DeviceName":"adfs01.simulandlabs.com","ActionType":"LdapSearch","FileName":"","FolderPath":"","SHA1":"","SHA256":"","MD5":"","FileSize":null,"AccountDomain":"","AccountName":"","AccountSid":"","RemoteUrl":"","RemoteDeviceName":"","ProcessId":null,"ProcessCommandLine":"","ProcessCreationTime":null,"ProcessTokenElevation":"","LogonId":null,"RegistryKey":"","RegistryValueName":"","RegistryValueData":"","RemoteIP":"","RemotePort":null,"LocalIP":"","LocalPort":null,"FileOriginUrl":"","FileOriginIP":"","InitiatingProcessSHA1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","InitiatingProcessSHA256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","InitiatingProcessMD5":"7353f60b1739074eb17c5f4dddefe239","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":448000,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5692,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2021-08-02T10:45:40.0664337Z","InitiatingProcessAccountDomain":"simulandlabs","InitiatingProcessAccountName":"wardog","InitiatingProcessAccountSid":"S-1-5-21-2490359158-13971675-3780420524-500","InitiatingProcessAccountUpn":"wardog@simulandlabs.com","InitiatingProcessAccountObjectId":"","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.1","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessParentId":820,"InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentCreationTime":"2021-06-24T04:49:41.1741012Z","InitiatingProcessLogonId":1357805418,"ReportId_long":113608,"ReportId_string":"","AppGuardContainerId":"","AdditionalFields_string":"{\"AttributeList\":[\"\"],\"DistinguishedName\":\"CN=596f0e13-7a4b-49a1-a106-0cbcba66b065,CN=ADFS,CN=Microsoft,CN=Program Data,DC=simulandlabs,DC=com\",\"ScopeOfSearch\":\"SubTree\",\"SearchFilter\":\"(name=CryptoPolicy)\"}","AdditionalFields_dynamic":null,"Application":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountUpn":"","AccountObjectId":"","AccountDisplayName":"","IPAddress":"","Port":null,"Location":"","ISP":"","ApplicationId":null,"IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IsAnonymousProxy":null,"CountryCode":"","City":"","UserAgent":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","RawEventData":null,"rawData":null,"AppId":"","OAuthAppId":""}
{"Timestamp":"2021-08-02T13:11:53.6344905Z","DeviceId":"00000000-0000-0000-0000-000000000000","DeviceName":"adfs01.simulandlabs.com","ActionType":"LdapSearch","FileName":"","FolderPath":"","SHA1":"","SHA256":"","MD5":"","FileSize":null,"AccountDomain":"","AccountName":"","AccountSid":"","RemoteUrl":"","RemoteDeviceName":"","ProcessId":null,"ProcessCommandLine":"","ProcessCreationTime":null,"ProcessTokenElevation":"","LogonId":null,"RegistryKey":"","RegistryValueName":"","RegistryValueData":"","RemoteIP":"","RemotePort":null,"LocalIP":"","LocalPort":null,"FileOriginUrl":"","FileOriginIP":"","InitiatingProcessSHA1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","InitiatingProcessSHA256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","InitiatingProcessMD5":"7353f60b1739074eb17c5f4dddefe239","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":448000,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5692,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2021-08-02T10:45:40.0664337Z","InitiatingProcessAccountDomain":"simulandlabs","InitiatingProcessAccountName":"wardog","InitiatingProcessAccountSid":"S-1-5-21-2490359158-13971675-3780420524-500","InitiatingProcessAccountUpn":"wardog@simulandlabs.com","InitiatingProcessAccountObjectId":"","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.1","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessParentId":820,"InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentCreationTime":"2021-06-24T04:49:41.1741012Z","InitiatingProcessLogonId":1357805418,"ReportId_long":113616,"ReportId_string":"","AppGuardContainerId":"","AdditionalFields_string":"{\"AttributeList\":[\"thumbnailphoto\"],\"DistinguishedName\":\"CN=596f0e13-7a4b-49a1-a106-0cbcba66b065,CN=ADFS,CN=Microsoft,CN=Program Data,DC=simulandlabs,DC=com\",\"ScopeOfSearch\":\"SubTree\",\"SearchFilter\":\"(l=9736f74f-fd37-4b02-80e8-8120a72ad6c2)\"}","AdditionalFields_dynamic":null,"Application":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountUpn":"","AccountObjectId":"","AccountDisplayName":"","IPAddress":"","Port":null,"Location":"","ISP":"","ApplicationId":null,"IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IsAnonymousProxy":null,"CountryCode":"","City":"","UserAgent":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","RawEventData":null,"rawData":null,"AppId":"","OAuthAppId":""}
{"Timestamp":"2021-08-02T13:15:30.513652Z","DeviceId":"00000000-0000-0000-0000-000000000000","DeviceName":"adfs01.simulandlabs.com","ActionType":"LdapSearch","FileName":"","FolderPath":"","SHA1":"","SHA256":"","MD5":"","FileSize":null,"AccountDomain":"","AccountName":"","AccountSid":"","RemoteUrl":"","RemoteDeviceName":"","ProcessId":null,"ProcessCommandLine":"","ProcessCreationTime":null,"ProcessTokenElevation":"","LogonId":null,"RegistryKey":"","RegistryValueName":"","RegistryValueData":"","RemoteIP":"","RemotePort":null,"LocalIP":"","LocalPort":null,"FileOriginUrl":"","FileOriginIP":"","InitiatingProcessSHA1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","InitiatingProcessSHA256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","InitiatingProcessMD5":"7353f60b1739074eb17c5f4dddefe239","InitiatingProcessFileName":"powershell.exe","InitiatingProcessFileSize":448000,"InitiatingProcessFolderPath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","InitiatingProcessId":5692,"InitiatingProcessCommandLine":"\"powershell.exe\" ","InitiatingProcessCreationTime":"2021-08-02T10:45:40.0664337Z","InitiatingProcessAccountDomain":"simulandlabs","InitiatingProcessAccountName":"wardog","InitiatingProcessAccountSid":"S-1-5-21-2490359158-13971675-3780420524-500","InitiatingProcessAccountUpn":"wardog@simulandlabs.com","InitiatingProcessAccountObjectId":"","InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoft® Windows® Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.1","InitiatingProcessVersionInfoInternalFileName":"POWERSHELL","InitiatingProcessVersionInfoOriginalFileName":"PowerShell.EXE","InitiatingProcessVersionInfoFileDescription":"Windows PowerShell","InitiatingProcessParentId":820,"InitiatingProcessParentFileName":"svchost.exe","InitiatingProcessParentCreationTime":"2021-06-24T04:49:41.1741012Z","InitiatingProcessLogonId":1357805418,"ReportId_long":113771,"ReportId_string":"","AppGuardContainerId":"","AdditionalFields_string":"{\"AttributeList\":[\"\"],\"DistinguishedName\":\"DC=simulandlabs,DC=com\",\"ScopeOfSearch\":\"SubTree\",\"SearchFilter\":\"(\u0026(objectCategory=user)(memberOf=CN=Domain Admins,CN=Users,DC=simulandlabs,DC=com))\"}","AdditionalFields_dynamic":null,"Application":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountUpn":"","AccountObjectId":"","AccountDisplayName":"","IPAddress":"","Port":null,"Location":"","ISP":"","ApplicationId":null,"IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IsAnonymousProxy":null,"CountryCode":"","City":"","UserAgent":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","RawEventData":null,"rawData":null,"AppId":"","OAuthAppId":""}
{"Timestamp":"2021-08-02T13:13:02.057Z","ActionType":"Directory Services replication","Application":"Active Directory","ApplicationId":null,"AccountObjectId":"aead923d-498b-4f64-a66c-2af91447a8b6","AccountDisplayName":"Gustavo Pedro","IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IPAddress":"192.168.2.5","IsAnonymousProxy":null,"CountryCode":"","City":"","ISP":"INTERNAL_NETWORK","UserAgent_dynamic":null,"UserAgent_string":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","ReportId":"3ab932f1-c0d9-4c09-bb4d-dfc0852bbdf7_106830890_1627909982057_20940","AdditionalFields":{"DestinationComputerOperatingSystemVersion":"10.0 (17763)","DestinationComputerOperatingSystemType":"windows","DestinationComputerOperatingSystem":"windows server 2019 datacenter","SourceComputerOperatingSystemType":"windows","SourceComputerOperatingSystemVersion":"10.0 (17763)","SourceComputerOperatingSystem":"windows server 2019 datacenter","ACTOR.ACCOUNT":"Gustavo Pedro","TO.DEVICE":"DC01","Count":"1","ACTOR.ENTITY_USER":"Gustavo Pedro","FROM.DEVICE":"ADFS01","ARG.TASK":"Directory Services replication"},"UserId":"","Permissions":null,"PermissionsAddedTo":"","RawEventData":null,"spnID":"","rawData":null,"AppId":"","OAuthAppId":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"dc01.simulandlabs.com","DestinationIPAddress":"192.168.2.4","DestinationPort":49668,"Protocol":"Drsr","AccountName":"pgustavo","AccountDomain":"simulandlabs.com","AccountUpn":"pgustavo@simulandlabs.com","AccountSid":"S-1-5-21-2490359158-13971675-3780420524-1105","DeviceName":"adfs01.simulandlabs.com","Port":53163,"Location":""}
{"Timestamp":"2021-08-02T13:08:18.374Z","ActionType":"Directory Services replication","Application":"Active Directory","ApplicationId":null,"AccountObjectId":"aead923d-498b-4f64-a66c-2af91447a8b6","AccountDisplayName":"Gustavo Pedro","IsAdminOperation":null,"DeviceType":"","OSPlatform":"","IPAddress":"192.168.2.5","IsAnonymousProxy":null,"CountryCode":"","City":"","ISP":"INTERNAL_NETWORK","UserAgent_dynamic":null,"UserAgent_string":"","ActivityType":"","ActivityObjects":null,"ObjectName":"","ObjectType":"","ObjectId":"","ReportId":"85a25128-abab-4d26-8906-5fe01c1afe17_106830890_1627909698374_20940","AdditionalFields":{"DestinationComputerOperatingSystemVersion":"10.0 (17763)","DestinationComputerOperatingSystemType":"windows","DestinationComputerOperatingSystem":"windows server 2019 datacenter","SourceComputerOperatingSystemType":"windows","SourceComputerOperatingSystemVersion":"10.0 (17763)","SourceComputerOperatingSystem":"windows server 2019 datacenter","ACTOR.ACCOUNT":"Gustavo Pedro","Count":"1","TO.DEVICE":"DC01","ACTOR.ENTITY_USER":"Gustavo Pedro","FROM.DEVICE":"ADFS01","ARG.TASK":"Directory Services replication"},"UserId":"","Permissions":null,"PermissionsAddedTo":"","RawEventData":null,"spnID":"","rawData":null,"AppId":"","OAuthAppId":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"dc01.simulandlabs.com","DestinationIPAddress":"192.168.2.4","DestinationPort":49668,"Protocol":"Drsr","AccountName":"pgustavo","AccountDomain":"simulandlabs.com","AccountUpn":"pgustavo@simulandlabs.com","AccountSid":"S-1-5-21-2490359158-13971675-3780420524-1105","DeviceName":"adfs01.simulandlabs.com","Port":53115,"Location":""}
{"Timestamp":"2021-08-02T13:32:07Z","ActionType":"MailItemsAccessed","Application":"Microsoft Exchange Online","ApplicationId":20893,"AccountObjectId":"5a95e683-08ad-424e-a441-1d1aec52c02c","AccountDisplayName":"SimuLandApp","IsAdminOperation":0,"DeviceType":"Other","OSPlatform":"Unknown","IPAddress":"1.2.3.4","IsAnonymousProxy":0,"CountryCode":"US","City":"chicago","ISP":"Microsoft 365 Common and Office Online server","UserAgent_dynamic":null,"UserAgent_string":"Client=REST;;","ActivityType":"Run","ActivityObjects":[{"ServiceObjectType":"Session ID","Type":"Structured object","Role":"Parameter"},{"Type":"Task","Role":"Target object","Name":"MailItemsAccessed"},{"Type":"Property","Role":"Parameter","Name":"MailAccessType","Value":"Bind"},{"Type":"Property","Role":"Parameter","Name":"IsThrottled","Value":"False"},{"ApplicationInstance":0,"ApplicationId":11161,"Type":"User","Role":"Parameter","Name":"Gustavo Pedro","Id":"aead923d-498b-4f64-a66c-2af91447a8b6"},{"ApplicationInstance":0,"ApplicationId":11161,"Type":"Account","Role":"Actor","Name":"SimuLandApp","Id":"5a95e683-08ad-424e-a441-1d1aec52c02c"}],"ObjectName":"MailItemsAccessed","ObjectType":"Task","ObjectId":"","ReportId":"106830890_20893_699e0b10-1c53-403e-976f-ce0847a92b44","AdditionalFields":{"IsSatelliteProvider":false},"UserId":"","Permissions":null,"PermissionsAddedTo":"","RawEventData":{"OrganizationId":"00000000-0000-0000-0000-000000000000","CreationTime":"2021-08-02T13:32:07.0000000Z","RecordType":50,"Operation":"MailItemsAccessed","UserType":0,"Workload":"Exchange","Version":1,"UserKey":"100320015858B802","UserId":"pgustavo@simulandlabs.com","OriginatingServer":"AB1CD23EF4567 (15.20.4200.000)\r\n","InternalLogonType":0,"OrganizationName":"simulandlabs.onmicrosoft.com","ClientInfoString":"Client=REST;;","MailboxOwnerSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","ClientIPAddress":"1.2.3.4","MailboxOwnerUPN":"pgustavo@simulandlabs.com","ExternalAccess":false,"ResultStatus":"Succeeded","Id":"699e0b10-1c53-403e-976f-ce0847a92b44","LogonUserSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","MailboxGuid":"d0c5f8ae-9ed7-4e46-bfdf-ea1460f5a31b","LogonType":0,"OperationProperties":["@{Value=Bind; Name=MailAccessType}","@{Value=False; Name=IsThrottled}"],"OperationCount":7,"AppId":"00000003-0000-0000-c000-000000000000","Folders":["@{Id=LgAAAAAM7KyTTmWeRac2KXBEz/7aAQARGHK+grzLTpRJraC1QR6kAAAAAAEMAAAB; Path=\\Inbox; FolderItems=System.Object[]}"],"ClientAppId":"5a95e683-08ad-424e-a441-1d1aec52c02c"},"spnID":"","rawData":{"OrganizationId":"00000000-0000-0000-0000-000000000000","CreationTime":"2021-08-02T13:32:07.0000000Z","RecordType":50,"Operation":"MailItemsAccessed","UserType":0,"Workload":"Exchange","Version":1,"UserKey":"100320015858B802","UserId":"pgustavo@simulandlabs.com","OriginatingServer":"AB1CD23EF4567 (15.20.4200.000)\r\n","InternalLogonType":0,"OrganizationName":"simulandlabs.onmicrosoft.com","ClientInfoString":"Client=REST;;","MailboxOwnerSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","ClientIPAddress":"1.2.3.4","MailboxOwnerUPN":"pgustavo@simulandlabs.com","ExternalAccess":false,"ResultStatus":"Succeeded","Id":"699e0b10-1c53-403e-976f-ce0847a92b44","LogonUserSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","MailboxGuid":"d0c5f8ae-9ed7-4e46-bfdf-ea1460f5a31b","LogonType":0,"OperationProperties":["@{Value=Bind; Name=MailAccessType}","@{Value=False; Name=IsThrottled}"],"OperationCount":7,"AppId":"00000003-0000-0000-c000-000000000000","Folders":["@{Id=LgAAAAAM7KyTTmWeRac2KXBEz/7aAQARGHK+grzLTpRJraC1QR6kAAAAAAEMAAAB; Path=\\Inbox; FolderItems=System.Object[]}"],"ClientAppId":"5a95e683-08ad-424e-a441-1d1aec52c02c"},"AppId":"00000003-0000-0000-c000-000000000000","OAuthAppId":"5a95e683-08ad-424e-a441-1d1aec52c02c","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountName":"","AccountDomain":"","AccountUpn":"","AccountSid":"","DeviceName":"","Port":null,"Location":""}
{"Timestamp":"2021-08-02T13:27:20Z","ActionType":"Add delegated permission grant.","Application":"Office 365","ApplicationId":11161,"AccountObjectId":"aead923d-498b-4f64-a66c-2af91447a8b6","AccountDisplayName":"Gustavo Pedro","IsAdminOperation":0,"DeviceType":"Desktop","OSPlatform":"Windows 10","IPAddress":"","IsAnonymousProxy":null,"CountryCode":"","City":"","ISP":"","UserAgent_dynamic":null,"UserAgent_string":"","ActivityType":"Basic","ActivityObjects":[{"ApplicationInstance":0,"ApplicationId":11161,"Type":"User","Role":"Actor","Name":"Gustavo Pedro","Id":"aead923d-498b-4f64-a66c-2af91447a8b6"}],"ObjectName":"","ObjectType":"","ObjectId":"","ReportId":"106830890_11161_e417c1fd-ae0b-4efa-891b-bb6b0ea7d35e","AdditionalFields":{},"UserId":"pgustavo@simulandlabs.com","Permissions":"User.Read Mail.ReadWrite","PermissionsAddedTo":"Microsoft Graph","RawEventData":null,"spnID":"","rawData":null,"AppId":"","OAuthAppId":"","TargetAccountUpn":"","TargetAccountDisplayName":"","TargetDeviceName":"","DestinationDeviceName":"","DestinationIPAddress":"","DestinationPort":null,"Protocol":"","AccountName":"","AccountDomain":"","AccountUpn":"","AccountSid":"","DeviceName":"","Port":null,"Location":""}

Office Activity events

{"TenantId":"00000000-0000-0000-0000-000000000000","RecordType":"50","TimeGenerated":"2021-08-02T13:32:07Z","Operation":"MailItemsAccessed","OrganizationId":"00000000-0000-0000-0000-000000000000","OrganizationId_":"00000000-0000-0000-0000-000000000000","UserType":"Regular","UserKey":"100320015858B802","OfficeWorkload":"Exchange","ResultStatus":"Succeeded","ResultReasonType":"Succeeded","UserId":"pgustavo@simulandlabs.com","UserId_":"pgustavo@simulandlabs.com","ExternalAccess":"False","OriginatingServer":"AB1CD23EF4567 (15.20.4200.000)\r\n","OrganizationName":"simulandlabs.onmicrosoft.com","Logon_Type":"Owner","MailboxGuid":"d0c5f8ae-9ed7-4e46-bfdf-ea1460f5a31b","MailboxOwnerUPN":"pgustavo@simulandlabs.com","MailboxOwnerSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","LogonUserSid":"S-1-5-21-1825954961-3338807533-2873504967-26087451","ClientInfoString":"Client=REST;;","Client_IPAddress":"1.2.3.4","Folders":"[{\"FolderItems\":[{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.centralus.production.microsoft.com\u003e\"},{\"InternetMessageId\":\"\u003cAB1CD23EF4567DAC24353B8AD047DDEB0B1EB9@AB1CD23EF4567.abcdef12.prod.outlook.com\u003e\"},{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.southcentralus.production.microsoft.com\u003e\"},{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.eastus.production.microsoft.com\u003e\"},{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.northcentralus.production.microsoft.com\u003e\"},{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.northcentralus.production.microsoft.com\u003e\"},{\"InternetMessageId\":\"\u003c00000000-0000-0000-0000-000000000000@az.westus2.production.microsoft.com\u003e\"}],\"Id\":\"LgAAAAAM7KyTTmWeRac2KXBEz/7aAQARGHK+grzLTpRJraC1QR6kAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"}]","ElevationTime":"2021-08-02T13:41:16Z","SourceSystem":"OfficeActivityManager","OfficeId":"699e0b10-1c53-403e-976f-ce0847a92b44","SourceRecordId":"699e0b10-1c53-403e-976f-ce0847a92b44","Start_Time":"2021-08-02T13:41:16Z","OfficeTenantId":"$RestApiTenantId$","OfficeTenantId_":"$RestApiTenantId$","OperationProperties":"[{\"Name\":\"MailAccessType\",\"Value\":\"Bind\"},{\"Name\":\"IsThrottled\",\"Value\":\"False\"}]","AppId":"00000003-0000-0000-c000-000000000000","ClientAppId":"5a95e683-08ad-424e-a441-1d1aec52c02c","Type":"OfficeActivity"}

Windows events

{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:09:20.04Z","Computer":"ADFS01.simulandlabs.com","EventData_dynamic":"[\"00000000-0000-0000-0000-000000000000\",\"00000000-0000-0000-0000-000000000000\",\"http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\",\"-\"]","EventID":412,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","EventSourceName":"AD FS Auditing","Channel":"Security","Task":3,"Level":"8","Activity":"412","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"76d12871-4344-4404-bc82-0a78925cff53","TimeCollected":"2021-08-02T13:09:50.336Z","InstanceId":"00000000-0000-0000-0000-000000000000"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:09:20.04Z","Computer":"ADFS01.simulandlabs.com","EventData_dynamic":"[\"00000000-0000-0000-0000-000000000000\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\"SIMULANDLABS\\\\adfsadmin\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid\",\"S-1-5-21-2490359158-13971675-3780420524-1103\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid\",\"S-1-5-21-2490359158-13971675-3780420524-513\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-21-2490359158-13971675-3780420524-513\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-1-0\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-32-545\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-32-555\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-2\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-11\",\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid\",\"S-1-5-15\"]","EventID":501,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","EventSourceName":"AD FS Auditing","Channel":"Security","Task":3,"Level":"8","Activity":"501 - The Desktop Window Manager is experiencing heavy resource contention.","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"099d331c-a760-4a26-860e-4567d70cbb4b","TimeCollected":"2021-08-02T13:09:50.336Z","InstanceId":"00000000-0000-0000-0000-000000000000","ClaimsName":"SIMULANDLABS\\adfsadmin"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:06:38.33Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53085","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0cd568","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"2d67cfe2-b74b-41c2-b17a-b448e4a08eb1","TimeCollected":"2021-08-02T13:06:39.229Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:06:38.337Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53091","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0cd582","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"af176896-1735-493d-9cf0-4c1ab983b629","TimeCollected":"2021-08-02T13:06:39.229Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:06:39.587Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"48ae5626-7f7e-6ccc-b4ac-5d15e2e59fe1","Account":"SIMULANDLABS.COM\\adfsadmin","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53094","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\adfsadmin","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0ce93e","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"adfsadmin","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1103","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"692a5c76-57a7-4953-a1dc-353eb5de9681","TimeCollected":"2021-08-02T13:06:47.258Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:06:40.033Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"48ae5626-7f7e-6ccc-b4ac-5d15e2e59fe1","Account":"SIMULANDLABS.COM\\adfsadmin","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53097","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\adfsadmin","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0ce99e","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"adfsadmin","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1103","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"b090d851-a222-4933-8564-4ee9dbb341e3","TimeCollected":"2021-08-02T13:06:47.258Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:08:45.653Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"00000000-0000-0000-0000-000000000000","Account":"SIMULANDLABS\\pgustavo","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"NTLM","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53115","KeyLength":128,"LmPackageName":"NTLM V1","LogonProcessName":"NtLmSsp ","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS\\pgustavo","TargetDomainName":"SIMULANDLABS","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0de3f2","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"pgustavo","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1105","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"ADFS01","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"bd2190bf-d443-4b49-8b8f-f6c7a724a4df","TimeCollected":"2021-08-02T13:08:47.231Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:08:45.68Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58720","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0de422","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"373e2bda-04aa-480b-95ae-04c3a54f4ea4","TimeCollected":"2021-08-02T13:08:47.231Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.767Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53140","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f2cd7","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"d59020eb-16cd-46e9-9c88-fee2654ab7ae","TimeCollected":"2021-08-02T13:11:40.251Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.853Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58757","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f2d0f","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"4c9033f2-af26-4f8d-a8cd-f6eb56a046a4","TimeCollected":"2021-08-02T13:11:41.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.857Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58758","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f2d3d","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"109d83a4-db5f-4f6b-a3b3-8f84deed7aee","TimeCollected":"2021-08-02T13:11:41.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.86Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58759","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f2d7b","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"e6e2911e-7f4b-4438-9575-e01bbfca8ab0","TimeCollected":"2021-08-02T13:11:41.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:05:33.483Z","Source":"MSSQL$MICROSOFT##WID","EventLog":"Application","Computer":"ADFS01.simulandlabs.com","EventLevel":8,"EventLevelName":"Audit Success","ParameterXml":"\u003cParam\u003e\u003c![CDATA[audit_schema_version:1 event_time:2021-08-02 13:05:32.7971667 sequence_number:1 action_id:SL   succeeded:true is_column_permission:true session_id:55 server_principal_id:2 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:1717581157 user_defined_event_id:0 class_type:U  permission_bitmask:00000000000000000000000000000001 sequence_group_id:8CD5F561-0EC9-437F-9E50-D83756A1C214 session_server_principal_name:SIMULANDLABS\\wardog server_principal_name:SIMULANDLABS\\wardog server_principal_sid:01050000000000051500000076dd6f94db30d500aca354e1f4010000 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:ADFS01\\MICROSOFT##WID database_name:AdfsConfigurationV4 schema_name:IdentityServerPolicy object_name:ServiceSettings statement:SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings additional_information: user_defined_information: ]]\u003e\u003c/Param\u003e","EventData_string":"\u003cDataItem type=\"System.XmlData\" time=\"2021-08-02T09:05:33.4847965-04:00\" sourceHealthServiceId=\"3ECDA523-E9E8-25D7-DBE1-B423A15C49B1\"\u003e\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cData\u003eaudit_schema_version:1 event_time:2021-08-02 13:05:32.7971667 sequence_number:1 action_id:SL   succeeded:true is_column_permission:true session_id:55 server_principal_id:2 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:1717581157 user_defined_event_id:0 class_type:U  permission_bitmask:00000000000000000000000000000001 sequence_group_id:8CD5F561-0EC9-437F-9E50-D83756A1C214 session_server_principal_name:SIMULANDLABS\\wardog server_principal_name:SIMULANDLABS\\wardog server_principal_sid:01050000000000051500000076dd6f94db30d500aca354e1f4010000 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:ADFS01\\MICROSOFT##WID database_name:AdfsConfigurationV4 schema_name:IdentityServerPolicy object_name:ServiceSettings statement:SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings additional_information: user_defined_information: \u003c/Data\u003e\u003c/EventData\u003e\u003c/DataItem\u003e","EventID":33205,"RenderedDescription":"Audit event: audit_schema_version:1 event_time:2021-08-02 13:05:32.7971667 sequence_number:1 action_id:SL   succeeded:true is_column_permission:true session_id:55 server_principal_id:2 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:1717581157 user_defined_event_id:0 class_type:U  permission_bitmask:00000000000000000000000000000001 sequence_group_id:8CD5F561-0EC9-437F-9E50-D83756A1C214 session_server_principal_name:SIMULANDLABS\\wardog server_principal_name:SIMULANDLABS\\wardog server_principal_sid:01050000000000051500000076dd6f94db30d500aca354e1f4010000 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:ADFS01\\MICROSOFT##WID database_name:AdfsConfigurationV4 schema_name:IdentityServerPolicy object_name:ServiceSettings statement:SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings additional_information: user_defined_information: . ","EventCategory":5,"UserName":"N/A","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"Event","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","action_id":"SL","session_server_principal_name":"SIMULANDLABS\\wardog","server_principal_name":"SIMULANDLABS\\wardog"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.77Z","Computer":"DC01.simulandlabs.com","EventID":4662,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","Account":"SIMULANDLABS\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":14080,"Level":"8","Activity":"4662 - An operation was performed on an object.","AccessList":"%%7684 \t\t\t\t","AccessMask":"0x10","AdditionalInfo":"-","HandleId":"0x0","ObjectName":"%{9736f74f-fd37-4b02-80e8-8120a72ad6c2}","ObjectServer":"DS","ObjectType":"%{5cb41ed0-0e4c-11d0-a286-00aa003049e2}","OperationType":"Object Access","Properties":"%%7684 \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} ","SubjectAccount":"SIMULANDLABS\\wardog","SubjectDomainName":"SIMULANDLABS","SubjectLogonId":"0x8f0f2cd7","SubjectUserName":"wardog","SubjectUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"b3a1321d-7a68-4242-85d8-8e60b4f98631","TimeCollected":"2021-08-02T13:11:40.251Z","timestamp":"2021-08-02T13:11:39.77Z","HostCustomEntity":"DC01.simulandlabs.com","AccountCustomEntity":"SIMULANDLABS\\wardog"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:39.77Z","Computer":"DC01.simulandlabs.com","EventID":4662,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","Account":"SIMULANDLABS\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":14080,"Level":"8","Activity":"4662 - An operation was performed on an object.","AccessList":"%%7684 \t\t\t\t","AccessMask":"0x10","AdditionalInfo":"-","HandleId":"0x0","ObjectName":"%{9736f74f-fd37-4b02-80e8-8120a72ad6c2}","ObjectServer":"DS","ObjectType":"%{5cb41ed0-0e4c-11d0-a286-00aa003049e2}","OperationType":"Object Access","Properties":"%%7684 \t\t{e48d0154-bcf8-11d1-8702-00c04fb96050} \t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a0e-0de6-11d0-a285-00aa003049e2} \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} ","SubjectAccount":"SIMULANDLABS\\wardog","SubjectDomainName":"SIMULANDLABS","SubjectLogonId":"0x8f0f2cd7","SubjectUserName":"wardog","SubjectUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"78d2d315-fa0e-497b-b4f0-22013af9dbf8","TimeCollected":"2021-08-02T13:11:40.251Z","timestamp":"2021-08-02T13:11:39.77Z","HostCustomEntity":"DC01.simulandlabs.com","AccountCustomEntity":"SIMULANDLABS\\wardog"}
{"TimeGenerated":"2021-08-02T13:05:32.77Z","Source":"Microsoft-Windows-Sysmon","EventLog":"Microsoft-Windows-Sysmon/Operational","Computer":"ADFS01.simulandlabs.com","EventLevel":4,"EventLevelName":"Information","EventID":18,"RenderedDescription":"Pipe Connected","UserName":"NT AUTHORITY\\SYSTEM","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"Event","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","EventType":"ConnectPipe","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","PipeName":"\\MICROSOFT##WID\\tsql\\query","ProcessGuid":"{9acedb82-ccd4-6107-22de-030000000600}","ProcessId_dynamic":"5692","RuleName":"-","UtcTime":"2021-08-02T13:05:32.7650000Z","process":"powershell.exe","Operation":"Pipe Connected"}
{"TimeGenerated":"2021-08-02T13:09:19.323Z","Computer":"ADFS01.simulandlabs.com","EventID":5156,"Protocol_string":"6","SourcePort_string":"53121","Application":"System","DestAddress":"fe80::a405:857d:204:efa5","DestPort":"80","Direction":"%%14592","FilterRTID":"65891","LayerName":"%%14610","LayerRTID":"46","ProcessID":"4","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","SourceAddress":"fe80::a405:857d:204:efa5"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:23:47.457Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"b255cc61-1f84-22cb-9ae5-efcce367b981","Account":"SIMULANDLABS.COM\\MSOL_2826475d0356","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58902","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\MSOL_2826475d0356","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f15ea51","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"MSOL_2826475d0356","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1118","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"82a68cac-fe1a-46fa-80f1-bea1754266cf","TimeCollected":"2021-08-02T13:23:48.506Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:24:11.643Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"b255cc61-1f84-22cb-9ae5-efcce367b981","Account":"SIMULANDLABS.COM\\MSOL_2826475d0356","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58913","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\MSOL_2826475d0356","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f17c70d","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"MSOL_2826475d0356","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1118","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"66d9fdeb-54e5-4f06-82ab-1bd389e390a4","TimeCollected":"2021-08-02T13:24:12.318Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:53.63Z","Computer":"DC01.simulandlabs.com","EventID":4662,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","Account":"SIMULANDLABS\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":14080,"Level":"8","Activity":"4662 - An operation was performed on an object.","AccessList":"%%7684 \t\t\t\t","AccessMask":"0x10","AdditionalInfo":"-","HandleId":"0x0","ObjectName":"%{9736f74f-fd37-4b02-80e8-8120a72ad6c2}","ObjectServer":"DS","ObjectType":"%{5cb41ed0-0e4c-11d0-a286-00aa003049e2}","OperationType":"Object Access","Properties":"%%7684 \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} ","SubjectAccount":"SIMULANDLABS\\wardog","SubjectDomainName":"SIMULANDLABS","SubjectLogonId":"0x8f0f43a6","SubjectUserName":"wardog","SubjectUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"75cef050-28c0-493a-90f0-077fb4776d17","TimeCollected":"2021-08-02T13:11:56.243Z","timestamp":"2021-08-02T13:11:53.63Z","HostCustomEntity":"DC01.simulandlabs.com","AccountCustomEntity":"SIMULANDLABS\\wardog"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:11Z","Computer":"DC01.simulandlabs.com","EventID":4662,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","Account":"SIMULANDLABS\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":14080,"Level":"8","Activity":"4662 - An operation was performed on an object.","AccessList":"%%7684 \t\t\t\t","AccessMask":"0x10","AdditionalInfo":"-","HandleId":"0x0","ObjectName":"%{9736f74f-fd37-4b02-80e8-8120a72ad6c2}","ObjectServer":"DS","ObjectType":"%{5cb41ed0-0e4c-11d0-a286-00aa003049e2}","OperationType":"Object Access","Properties":"%%7684 \t\t{e48d0154-bcf8-11d1-8702-00c04fb96050} \t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a0e-0de6-11d0-a285-00aa003049e2} \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} ","SubjectAccount":"SIMULANDLABS\\wardog","SubjectDomainName":"SIMULANDLABS","SubjectLogonId":"0x8f105095","SubjectUserName":"wardog","SubjectUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"087a856d-3d17-4544-b24a-38ee4223fa1b","TimeCollected":"2021-08-02T13:13:12.291Z","timestamp":"2021-08-02T13:13:11Z","HostCustomEntity":"DC01.simulandlabs.com","AccountCustomEntity":"SIMULANDLABS\\wardog"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:11.003Z","Computer":"DC01.simulandlabs.com","EventID":4662,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","Account":"SIMULANDLABS\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":14080,"Level":"8","Activity":"4662 - An operation was performed on an object.","AccessList":"%%7684 \t\t\t\t","AccessMask":"0x10","AdditionalInfo":"-","HandleId":"0x0","ObjectName":"%{9736f74f-fd37-4b02-80e8-8120a72ad6c2}","ObjectServer":"DS","ObjectType":"%{5cb41ed0-0e4c-11d0-a286-00aa003049e2}","OperationType":"Object Access","Properties":"%%7684 \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} \t\t{e48d0154-bcf8-11d1-8702-00c04fb96050} \t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96793f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a41-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679ef-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679f0-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a55-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967950-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ff8e-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ff90-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679e4-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa7-1191-11d0-a060-00aa006c33ed} \t\t\t{bf96794f-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ff88-1191-11d0-a060-00aa006c33ed} \t\t\t{bf967a06-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967954-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a1c-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a0e-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679e7-0de6-11d0-a285-00aa003049e2} \t\t\t{fe6136a0-2073-11d0-a9c2-00aa006c33ed} \t\t\t{6d05fb41-246b-11d0-a9c8-00aa006c33ed} \t\t\t{e0fa1e62-9b45-11d0-afdd-00c04fd930c9} \t\t\t{3e74f60e-3e73-11d1-a9c0-0000f80367c1} \t\t\t{0296c123-40da-11d1-a9c0-0000f80367c1} \t\t\t{28630ebc-41d5-11d1-a9c1-0000f80367c1} \t\t\t{26d97369-6070-11d1-a9c6-0000f80367c1} \t\t\t{800d94d7-b7a1-42a1-b14d-7cae1423d07f} \t\t\t{773e93af-d3b4-48d4-b3f9-06457602d3d0} \t\t\t{4b1cba4e-302f-4134-ac7c-f01f6c797843} \t\t\t{f217e4ec-0836-4b90-88af-2f5d4bbda2bc} \t\t\t{6cd53daf-003e-49e7-a702-6fa896e7a6ef} \t\t\t{5bd5208d-e5f4-46ae-a514-543bc9c47659} \t\t\t{e21a94e4-2d66-4ce5-b30d-0ef87a776ff0} \t\t\t{def449f1-fd3b-4045-98cf-d9658da788b5} \t\t\t{bf967961-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679b5-0de6-11d0-a285-00aa003049e2} \t\t{771727b1-31b8-4cdf-ae62-4fe39fadf89e} \t\t\t{bf967a78-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a77-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a3c-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a70-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96798f-0de6-11d0-a285-00aa003049e2} \t\t\t{167757bc-47f3-11d1-a9c3-0000f80367c1} \t\t\t{16775848-47f3-11d1-a9c3-0000f80367c1} \t\t\t{bf967a1e-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a1d-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679f4-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a6f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a73-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96791a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967972-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a71-0de6-11d0-a285-00aa003049e2} \t\t\t{5fd424a1-1262-11d0-a060-00aa006c33ed} \t\t\t{a8df7394-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{a8df7498-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{16775820-47f3-11d1-a9c3-0000f80367c1} \t\t\t{a8df7407-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{bf967a16-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967962-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967976-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a21-0de6-11d0-a285-00aa003049e2} \t\t\t{244b2970-5abd-11d0-afd2-00c04fd930c9} \t\t\t{66171887-8f3c-11d0-afda-00c04fd930c9} \t\t\t{3e10944d-c354-11d0-aff8-0000f80367c1} \t\t\t{26d9736e-6070-11d1-a9c6-0000f80367c1} \t\t\t{52458019-ca6a-11d0-afff-0000f80367c1} \t\t\t{e1aea404-cd5b-11d0-afff-0000f80367c1} \t\t\t{05308983-7688-11d1-aded-00c04fd8d5cd} \t\t\t{19405b9c-3cfa-11d1-a9c0-0000f80367c1} \t\t\t{19405b9e-3cfa-11d1-a9c0-0000f80367c1} \t\t\t{0296c122-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c124-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf967951-0de6-11d0-a285-00aa003049e2} \t\t\t{28630ec0-41d5-11d1-a9c1-0000f80367c1} \t\t\t{52ab8670-5709-11d1-a9c6-0000f80367c1} \t\t\t{d50c2cdb-8951-11d1-aebc-0000f80367c1} \t\t\t{07383082-91df-11d1-aebc-0000f80367c1} \t\t\t{00fbf30d-91fe-11d1-aebc-0000f80367c1} \t\t\t{2a132579-9373-11d1-aebc-0000f80367c1} \t\t\t{2a13257f-9373-11d1-aebc-0000f80367c1} \t\t\t{167758ad-47f3-11d1-a9c3-0000f80367c1} \t\t\t{e1aea402-cd5b-11d0-afff-0000f80367c1} \t\t\t{d167aa4b-8b08-11d2-9939-0000f87a57d4} \t\t\t{1ea64e5d-ac0f-11d2-90df-00c04fd91ab1} \t\t\t{23773dc2-b63a-11d2-90e1-00c04fd91ab1} \t\t\t{178b7bc2-b63a-11d2-90e1-00c04fd91ab1} \t\t\t{e48e64e0-12c9-11d3-9102-00c04fd91ab1} \t\t\t{67f121dc-7d02-4c7d-82f5-9ad4c950ac34} \t\t\t{9e6f3a4d-242c-4f37-b068-36b57f9fc852} \t\t\t{bf967a31-0de6-11d0-a285-00aa003049e2} \t\t\t{2a8c68fc-3a7a-4e87-8720-fe77c51cbe74} \t\t\t{ececcd20-a7e0-4688-9ccf-02ece5e287f5} \t\t\t{a637d211-5739-4ed1-89b2-88974548bc59} \t\t\t{df446e52-b5fa-4ca2-a42f-13f98a526c8f} \t\t\t{f85b6228-3734-4525-b6b7-3f3bb220902c} \t\t\t{a0dcd536-5158-42fe-8c40-c00a7ad37959} \t\t\t{60234769-4819-4615-a1b2-49d2f119acb5} \t\t\t{2b702515-c1f7-4b3b-b148-c0e4c6ceecb4} \t\t\t{bf967a6e-0de6-11d0-a285-00aa003049e2} \t\t\t{94f6f2ac-c76d-4b5e-b71f-f332c3e93c22} \t\t\t{5dd68c41-bfdf-438b-9b5d-39d9618bf260} \t\t\t{c8bc72e0-a6b4-48f0-94a5-fd76a88c9987} \t\t\t{ff155a2a-44e5-4de0-8318-13a58988de4f} \t\t\t{37c94ff6-c6d4-498f-b2f9-c6f7f8647809} \t\t\t{bf967a32-0de6-11d0-a285-00aa003049e2} \t\t\t{16775804-47f3-11d1-a9c3-0000f80367c1} \t\t\t{e8b2c971-a6df-47bc-8d6f-62770d527aa5} \t\t\t{f547511c-5b2a-44cc-8358-992a88258164} \t\t\t{a45398b7-c44a-4eb6-82d3-13c10946dbfe} \t\t\t{5e6cf031-bda8-43c8-aca4-8fee4127005b} \t\t\t{5a2eacd7-cc2b-48cf-9d9a-b6f1a0024de9} \t\t\t{1a3d0d20-5844-4199-ad25-0f5039a76ada} \t\t\t{79abe4eb-88f3-48e7-89d6-f4bc7e98c331} \t\t\t{8fb59256-55f1-444b-aacb-f5b482fe3459} \t\t\t{8ab15858-683e-466d-877f-d640e1f9a611} \t\t\t{ce5b01bc-17c6-44b8-9dc1-a9668b00901b} \t\t\t{54d522db-ec95-48f5-9bbd-1880ebbb2180} \t\t\t{7469b704-edb0-4568-a5a5-59f4862c75a7} \t\t\t{998c06ac-3f87-444e-a5df-11b03dc8a50c} \t\t\t{ab5543ad-23a1-3b45-b937-9b313d5474a8} \t\t\t{5a5661a1-97c6-544b-8056-e430fe7bc554} \t\t\t{d5006229-9913-2242-8b17-83761d1e0e5b} \t\t\t{78565e80-03d4-4fe3-afac-8c3bca2f3653} \t\t\t{b002f407-1340-41eb-bca0-bd7d938e25a9} \t\t\t{34f6bdf5-2e79-4c3b-8e14-3d93b75aab89} \t\t\t{fa0c8ade-4c94-4610-bace-180efdee2140} \t\t\t{a8df7489-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{fa4693bb-7bc2-4cb9-81a8-c99c43b7905e} \t\t\t{bf96798c-0de6-11d0-a285-00aa003049e2} \t\t\t{01072d9a-98ad-4a53-9744-e83e287278fb} \t\t\t{bf9679f2-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679a9-0de6-11d0-a285-00aa003049e2} \t\t\t{c569bb46-c680-44bc-a273-e6c227d71b45} \t\t\t{7bd76b92-3244-438a-ada6-24f5ea34381e} \t\t\t{adde62c6-1880-41ed-bd3c-30b7d25e14f0} \t\t\t{5eb526d7-d71b-44ae-8cc6-95460052e6ac} \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{0296c121-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c11f-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf9679a2-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a10-0de6-11d0-a285-00aa003049e2} \t\t\t{0296c11c-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf967a7f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a3a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a39-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679fc-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967945-0de6-11d0-a285-00aa003049e2} \t\t\t{16775858-47f3-11d1-a9c3-0000f80367c1} \t\t\t{4d146e4a-48d4-11d1-a9c3-0000f80367c1} \t\t\t{4d146e4b-48d4-11d1-a9c3-0000f80367c1} \t\t\t{16775781-47f3-11d1-a9c3-0000f80367c1} \t\t\t{bf9679fe-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a49-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a4b-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679fd-0de6-11d0-a285-00aa003049e2} \t\t\t{a11703b7-5641-4d9c-863e-5fb3325e74e0} \t\t\t{dc66d44e-3d43-40f5-85c5-3c12e169927e} \t\t\t{94c42110-bae4-4cea-8577-af813af5da25} \t\t\t{bf967a4a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967974-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96793e-0de6-11d0-a285-00aa003049e2} \t\t\t{bd29bf90-66ad-40e1-887b-10df070419a6} \t\t\t{f0f8ff84-1191-11d0-a060-00aa006c33ed} \t\t\t{bf967a7b-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa4-1191-11d0-a060-00aa006c33ed} \t\t\t{e16a9db2-403c-11d1-a9c0-0000f80367c1} \t\t\t{f0f8ffa2-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679fb-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa1-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679f7-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa3-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ffa6-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ffa5-1191-11d0-a060-00aa006c33ed} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t\t\t{bf96798d-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a69-0de6-11d0-a285-00aa003049e2} \t\t\t{0296c11d-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c11e-40da-11d1-a9c0-0000f80367c1} \t\t{bc0ac240-79a9-11d0-9020-00c04fc2d4cf} \t\t\t{bf967991-0de6-11d0-a285-00aa003049e2} \t\t{59ba2f42-79a2-11d0-9020-00c04fc2d3cf} \t\t\t{bf967a6a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967919-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967953-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967984-0de6-11d0-a285-00aa003049e2} \t\t\t{5fd42471-1262-11d0-a060-00aa006c33ed} \t\t{4c164200-20c0-11d0-a768-00aa006e0529} \t\t\t{3f78c3e5-f79a-46bd-a0b8-9d18116ddc79} \t\t{e45795b3-9455-11d1-aebd-0000f80367c1} \t\t\t{bf967a7a-0de6-11d0-a285-00aa003049e2} \t\t\t{9a9a0221-4a5b-11d1-a9c3-0000f80367c1} ","SubjectAccount":"SIMULANDLABS\\wardog","SubjectDomainName":"SIMULANDLABS","SubjectLogonId":"0x8f105095","SubjectUserName":"wardog","SubjectUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"dbf3f24f-f56f-4fd3-b0c5-f8aa05ff39ce","TimeCollected":"2021-08-02T13:13:12.291Z","timestamp":"2021-08-02T13:13:11.003Z","HostCustomEntity":"DC01.simulandlabs.com","AccountCustomEntity":"SIMULANDLABS\\wardog"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:53.573Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53145","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f438e","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"2a816c01-c3d5-40c1-b6a3-aebbdb18238e","TimeCollected":"2021-08-02T13:11:56.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:53.627Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53146","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f43a6","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"feb79a83-52a8-48f6-be30-8b6d885f2805","TimeCollected":"2021-08-02T13:11:56.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:11:54.587Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58762","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f0f4496","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"d412bd3c-b079-4d4d-88f2-2257596df25c","TimeCollected":"2021-08-02T13:11:56.243Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:12:55.12Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"189f3144-d352-e54d-f394-a78b36f77eab","Account":"SIMULANDLABS.COM\\adfsadmin","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53156","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\adfsadmin","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f102237","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"adfsadmin","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1103","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"d3b4624b-7a64-4994-a908-4df65cfe57c0","TimeCollected":"2021-08-02T13:13:12.291Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:10.997Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"bd2dda1b-862a-504f-2260-d9d2ed316e26","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53159","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f105095","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"46ce5b07-6510-4f51-814b-117f07419993","TimeCollected":"2021-08-02T13:13:12.291Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:11.987Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58778","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f105127","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"7da8bfa8-e28f-4b03-876d-353ab80e9acb","TimeCollected":"2021-08-02T13:13:21.248Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:11.99Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58779","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f10516a","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"5acda2d6-7a40-4a90-aa8b-14cc8cb490c3","TimeCollected":"2021-08-02T13:13:21.248Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:11.993Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58780","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f105195","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"fe9fd7b1-ceb1-4b8d-a38f-ede9f320349f","TimeCollected":"2021-08-02T13:13:21.248Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:29.373Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"00000000-0000-0000-0000-000000000000","Account":"SIMULANDLABS\\pgustavo","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"NTLM","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53163","KeyLength":128,"LmPackageName":"NTLM V1","LogonProcessName":"NtLmSsp ","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS\\pgustavo","TargetDomainName":"SIMULANDLABS","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f107008","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"pgustavo","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1105","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"ADFS01","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"2d331101-d313-4e29-8ed7-fd70dcc1495f","TimeCollected":"2021-08-02T13:13:40.288Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:13:29.4Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"73969297-3475-37ab-4f01-3654d1f9b922","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"fe80::1d35:28c0:59d6:6862","IpPort":"58785","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f107035","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"078133c8-a75b-4002-be85-6bd4c017ab0b","TimeCollected":"2021-08-02T13:13:40.288Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:15:30.443Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0x0","LogonGuid_string":"f2db21f8-b14f-313b-f1a1-d7a38371a3e7","Account":"SIMULANDLABS.COM\\wardog","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.5","IpPort":"53182","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\wardog","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f1148dd","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"wardog","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-500","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"6d97271b-2616-472b-882d-ac2929277147","TimeCollected":"2021-08-02T13:15:39.251Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:32:54.223Z","Computer":"DC01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/dc01","ProcessId_string":"0xaa4","LogonGuid_string":"e4f54147-2578-4c72-4d93-80936b0a9042","Account":"SIMULANDLABS\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Negotiate","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"-","IpPort":"-","LmPackageName":"-","LogonProcessName":"Advapi  ","LogonType":3,"LogonTypeName":"3 - Network","Process":"Microsoft.Tri.Sensor.exe","ProcessName":"C:\\Program Files\\Azure Advanced Threat Protection Sensor\\2.156.14310.28897\\Microsoft.Tri.Sensor.exe","RestrictedAdminMode":"-","SubjectAccount":"NT AUTHORITY\\LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","SubjectUserName":"LOCAL SERVICE","SubjectUserSid":"S-1-5-19","TargetAccount":"SIMULANDLABS\\cjones","TargetDomainName":"SIMULANDLABS","TargetLinkedLogonId":"0x0","TargetLogonId":"0x8f1c6c03","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"DC01","SourceComputerId":"0c7a8afd-2d56-4cb2-8e41-8644b4f05d8c","EventOriginId":"b361b5a6-d549-469e-af88-e9b30a4917f8","TimeCollected":"2021-08-02T13:32:55.349Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:32:54.267Z","Computer":"ADFS01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","ProcessId_string":"0x0","LogonGuid_string":"60dfb62d-482d-7f19-f3eb-b42169cf45d2","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.4","IpPort":"59014","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x51296bb8","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"6fa377f7-9697-4d8b-83b1-a4c0bc0a8a69","TimeCollected":"2021-08-02T13:32:55.423Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:32:54.277Z","Computer":"ADFS01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","ProcessId_string":"0x0","LogonGuid_string":"60dfb62d-482d-7f19-f3eb-b42169cf45d2","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.4","IpPort":"59015","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x51296c0c","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"ac73bd9d-d937-46d8-be0f-d4c666676fe5","TimeCollected":"2021-08-02T13:32:55.423Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:32:54.277Z","Computer":"ADFS01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","ProcessId_string":"0x0","LogonGuid_string":"60dfb62d-482d-7f19-f3eb-b42169cf45d2","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.4","IpPort":"59016","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x51296c2d","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"74f803d7-eed4-48db-ac4a-af4760c571e7","TimeCollected":"2021-08-02T13:32:55.423Z"}
{"TenantId":"00000000-0000-0000-0000-000000000000","SourceSystem":"OpsManager","TimeGenerated":"2021-08-02T13:32:54.28Z","Computer":"ADFS01.simulandlabs.com","EventID":4624,"MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-00000000-0000-0000-0000-000000000000","Type":"SecurityEvent","_ResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/azhybrid/providers/microsoft.compute/virtualmachines/adfs01","ProcessId_string":"0x0","LogonGuid_string":"60dfb62d-482d-7f19-f3eb-b42169cf45d2","Account":"SIMULANDLABS.COM\\cjones","AccountType":"User","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":12544,"Level":"8","Activity":"4624 - An account was successfully logged on.","AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"192.168.2.4","IpPort":"59017","LmPackageName":"-","LogonProcessName":"Kerberos","LogonType":3,"LogonTypeName":"3 - Network","Process":"-","ProcessName":"-","RestrictedAdminMode":"-","SubjectAccount":"-\\-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetAccount":"SIMULANDLABS.COM\\cjones","TargetDomainName":"SIMULANDLABS.COM","TargetLinkedLogonId":"0x0","TargetLogonId":"0x51296c3f","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"cjones","TargetUserSid":"S-1-5-21-2490359158-13971675-3780420524-1106","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-","SourceComputerId":"00000000-0000-0000-0000-000000000000","EventOriginId":"66a0648b-d6cb-4771-a53f-c8d0e0bca313","TimeCollected":"2021-08-02T13:32:55.423Z"}