<01> @cee: {"name":"DefaultProfile","version":"1.0","isoTimeFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"4688","protocolID":"255","sev":"2","src":"10.5.14.81","dst":"10.5.14.81","srcPort":"0","dstPort":"0","relevance":"5","credibility":"5","startTimeEpoch":"1759325971476","startTimeISO":"2025-10-01T13:39:31.476Z","storageTimeEpoch":"1759325971476","storageTimeISO":"2025-10-01T13:39:31.476Z","deploymentID":"1111aaa3-08a1-11eb-80f7-ecebb11d9a14","devTimeEpoch":"1759325920000","devTimeISO":"2025-10-01T13:38:40.000Z","srcPreNATPort":"0","dstPreNATPort":"0","srcPostNATPort":"0","dstPostNATPort":"0","hasIdentity":"false","payload":"<14>Oct  1 13:38:40 abcddul23105 MSWinEventLog\t1\tSecurity\t27884\tWed Oct 01 13:38:40 2025\t4688\tWindows\tN/A\tN/A\tSuccess Audit\tabcddul23105\tProcess Creation\t\tA new process has been created.    Creator Subject:   Security ID:  NT AUTHORITY\\SYSTEM   Account Name:  abcdDUL23105$ Account Domain:  DOMAIN   Logon ID:  0x3E7    Target Subject:   Security ID:  DOMAIN\\FOOBAR   Account Name:  FOOBAR   Account Domain:  DOMAIN   Logon ID:  0x19C34    Process Information:   New Process ID:  0x27a8   New Process Name: C:\\Windows\\System32\\backgroundTaskHost.exe   Token Elevation Type: TokenElevationTypeDefault (1)   Mandatory Label:  Mandatory Label\\Low Mandatory Level   Creator Process ID: 0x4b0   Creator Process Name: C:\\Windows\\System32\\svchost.exe   Process Command Line: \"C:\\WINDOWS\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider   \t7574751\tenrichment_section: fromhost-ip=10.5.14.81\n","eventCnt":"1","hasOffense":"false","domainID":"0","eventName":"Success Audit: A new process has been created","lowLevelCategory":"Process Creation Success","highLevelCategory":"System","eventDescription":"Success Audit: A new process has been created.","srcAssetName":"SERVER","dstAssetName":"SERVER","logSource":"abcddul23105","srcNetName":"Net-10-172-192.Net_10_0_0_0","dstNetName":"Net-10-172-192.Net_10_0_0_0","logSourceType":"Microsoft Windows Security Event Log","logSourceGroup":"THE_GROUP","logSourceIdentifier":"abcddul23105","Target User Name":"FOOBAR","EventID":"4688","Source Process":"backgroundTaskHost.exe","Parent Process Name":"svchost.exe","Process CommandLine":"\"C:\\WINDOWS\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider","Parent Process Path":"C:\\Windows\\System32\\svchost.exe"}
<01> @cee: {"name":"DefaultProfile","version":"1.0","isoTimeFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"deny","protocolID":"17","sev":"4","src":"10.2.3.4","dst":"10.4.8.9","srcPort":"59505","dstPort":"137","relevance":"5","credibility":"5","startTimeEpoch":"1759324287718","startTimeISO":"2025-10-01T13:11:27.718Z","storageTimeEpoch":"1759324287718","storageTimeISO":"2025-10-01T13:11:27.718Z","deploymentID":"1150aaa4-05a1-11eb-80f7-ecebb34d2a89","devTimeEpoch":"1759324227000","devTimeISO":"2025-10-01T13:10:27.000Z","srcPostNAT":"0.0.0.157","dstPostNAT":"0.0.0.157","srcPreNATPort":"0","dstPreNATPort":"0","srcPostNATPort":"0","dstPostNATPort":"0","hasIdentity":"false","payload":"<14>Oct  1 15:10:28 ultrasecure-firewall LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|11.1.6-h14|deny|cat=TRAFFIC|ReceiveTime=2025/10/01 15:10:27|SerialNumber=010108010025|Type=TRAFFIC|Subtype=drop|devTime=Oct 01 2025 13:10:27 GMT|src=10.2.3.4|dst=10.4.8.9|srcPostNAT=0.0.0.157|dstPostNAT=0.0.0.157|RuleName=interzone-default|usrName=|SourceUser=|DestinationUser=|Application=not-applicable|VirtualSystem=vsys3|SourceZone=the-sone|DestinationZone=the-other-zone|IngressInterface=ae1.1111|EgressInterface=|LogForwardingProfile=default|SessionID=0|RepeatCount=1|srcPort=59505|dstPort=137|srcPostNATPort=0|dstPostNATPort=0|Flags=0x0|proto=udp|action=deny|totalBytes=0|dstBytes=0|srcBytes=0|totalPackets=1|StartTime=2025/10/01 15:10:25|ElapsedTime=0|URLCategory=any|sequence=7548503208760266305|ActionFlags=0x8000000000000000|SourceLocation=10.0.0.20-10.255.255.1|DestinationLocation=10.0.0.20-10.255.255.1|dstPackets=0|srcPackets=1|SessionEndReason=policy-deny|DeviceGroupHierarchyL1=177|DeviceGroupHierarchyL2=235|DeviceGroupHierarchyL3=236|DeviceGroupHierarchyL4=239|vSrcName=ultrasecure-firewall|DeviceName=ultrasecure-firewall|ActionSource=from-policy|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/A\tenrichment_section: fromhost-ip=10.14.15.16\n","eventCnt":"1","hasOffense":"false","domainID":"0","eventName":"Session Denied","lowLevelCategory":"Firewall Deny","highLevelCategory":"Access","eventDescription":"Session was denied by application policy","srcAssetName":"foobaz.domain.local","protocolName":"udp","logSource":"ultrasecure-firewall","srcNetName":"Net-10-172-192.Net_10_0_0_0","dstNetName":"Net-10-172-192.Net_10_0_0_0","logSourceType":"Palo Alto PA Series","logSourceGroup":"FIREWALL_GROUP","logSourceIdentifier":"ultrasecure-firewall","Application":"not-applicable","ObjectType":"drop"}
