From 4722ef0948b44c01a7cf2732dbdd390ff59625fc Mon Sep 17 00:00:00 2001
From: "Lee E. Hinman" <lee.e.hinman@elastic.co>
Date: Tue, 26 Jan 2021 10:42:36 -0600
Subject: [PATCH] [Winlogbeat] add eventID 4912 test

- add example of eventID 4912 captured on win2012R2
---
 .../test/testdata/4912_WindowsSrv2012R2.evtx  |  Bin 0 -> 69632 bytes
 .../4912_WindowsSrv2012R2.evtx.golden.json    | 4106 +++++++++++++++++
 2 files changed, 4106 insertions(+)
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx.golden.json

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..acb6f62059b3cfc60726c5962736c0dd2b4618a2
GIT binary patch
literal 69632
zcmeI5dvIJ;9mjwB>}HefCJlj7+R~P`G=;R;-E4N#@G#`j77E4^K}Y|IP12_1p-qA<
zRqUwXOr7yHw15a!9x9?$Q3MO(gQEDD`Uf*2{YOQ|LC0}~j$_Av;`etSdF(XlIo9#6
z<M-^`-TOGN`}v%6?jzZ|UBiRjL&F178a8_?4&pN;5s{iuX_WI`{^!=jYv-K_GavyH
zAOR8}0TLhq5+DH*AOR8}0TMVTfv(}fj@_fT;Tqo!t=?zp@<FU$vRCBHxX7LR|2XJH
z`?o(d|CjE&|97)9SRNO7ZIQ_7n8@qV*;_=C36ZOD8^Si6JV%;OqD&3TQKp7}c=4a~
z*6X?lux_xVKG$OTOjx&yEG;Qx#LG*!J?_olh`8Oz^LR-<8s}W$Sui=@u+FP%X+9e^
zU_Zdt_nk}srtQq>Uxm`4kW__k9sAHWKc&uhy*_mJ-#&itA3nJCM8gs6iN<QLl|z`-
z9n^5VDkfcWy9~&vOknwAnBsf9jnAcHvQI{27#q=$Bo@lcZbX}q_sVA3gx9$2#F_!b
z>BIa+d=6pFUKzvEm<%H3Ml6qE{U&)owvFO5D@}McW3EYxcpsQ9etgbSI5ahN3a)%_
zW4&>?S@t9638zGnaQoEMJ5ev+=o<$T(&LnVJId-uEOY^B!PM<H#v2Yt<t9{i1RF(C
zDG9~j;kAc``lxJ?Nhc*Xr6nC{kI0RPc83?^?|qAA!P+LB*mgOlxHdV>rr}gl-i9pt
zfNTi6Kjc(F(WRmi52qp$kA^B`HCFg7eM!Y4xy6e%1X82e7EV=4Gz!Nnu;4fG{*y7;
zj)>}N*oh<>DJ;vdu*_?xT?eAl>$tehi4xWVL$VSJ+66QmTM?JHLZE6<L|R-(bBf6t
zEciWV&o2{l12*r6w=r<+2X~DcllmyI_h8}EUXE>_s6?Sd4$}@q9Y6(CQ9t51c(fO3
zo4V>ia*jbi5%9#NHWEsrwaknq-I3~9w09swt+Lj{B_B>DC8>3}3yJ&z;o&zcrNfD)
z^%!<);$wX`;&pd>Jv{kFQreN@1S+nrWdeKZ=9^k1>9`IGsy+W=t!UA1PP$L?B&yct
zGBq`VGW<d0nWrkS1N)qcPdWv;dbeslU{ka%$yX}8HoFrM$MN!Nk&r}OhgMa4S8D=<
zcYADo0I3Q|L_#%AbJD?B!$;6WI}o!E4QbS=w@Ry#P&70(bsZw;sHWoDMiUOG5i|v@
zoZDBzu}~T~`eYZ%(mW=l(dn=myf<Q9R+PAA<PXJ1Hzpue<xFC`3sU4##EAQ&^5FKk
zyd8U{Wq5m6C3TT#s#aD-Wig_n0Xh@ftLUU5A@!JQo%tx{bV^9liRY}uTQ`<!B#j9p
zTV$24&NtP$TUQ?RN5{XQEB(4s<eoNn3p#b_Fx4oxV%;eGj-kPiV_!@6sS)NUv0e92
zWA2i*M?TuSulJs9j~&0JEwcWF>e3YMpnOyMkq`KX1f74^o<qNX;(e!beTSdEvj?3*
zW5G=)X7y;Qq4UGqaQs2J(`m$gSg+$<7e4jqs_o~{SQKNBb~fF*7E@fuxmYNL+E2=R
zWRK%zVjBL<sCmDHt3~QmW8TZl>7;JT^gJp3F*96^+G<)o^U!)+F;i-7N!m`Z)B}Uk
znn@pa)91YO3)Ff$((l4FibkWgj<`cl#!GqGOv%;Gptl#X2LQuwYX06v-M!VCYK@oA
zq)Va;xMP);v)35{w4|6@$Fr8?lHGaMba6M`0$fYe`3IbEHAWrfs!ddD**H_n#j{#o
z59+DMmYt}p-_Lcg$5HD9N{>nf5-yWE!J!Suj}W>{y|Y|}d0nU7MdvZzYlzk3?Ne{o
zzx?N;*WZzO<*z&bgcdY+1h@s|Z^0<o4vW2W#)BOg4^E#z??PB8zqM$bMZ_&&(s><C
zvRG4;n$Mi9IyUrb?ej19^z`;LHMudHC6AYPeADwCJ@5G~%0VY_g5R^<F6N*2{HI2e
zS7nu!vcO1kILMLYf5~vG)GlZk4OhMTe$n=v5VYST^gDM%IC~Fn#VP#ah5fqy*7u7O
zkFxN4Fa4VN%}AY%U-y_I5_JE)kABVkX5|7Kzur|w;C}C?-}(IJrq8hQxXIEi^)`OJ
z3y{G5ewKdC{O09C8^1V}E{o&u1N3X=w?!_p@vD~x8iGFlevW?4{1#-1jo+lJH*miX
z(yy7{qFiF*7dI)L5On{2h<?rdw#vmeeyhsF@8{{)#BUz=H<sG?#hvxC=)Xtl*UWE5
zmf84Cm5JXk(65=_taRA;O_zz^hw0bMZ%($@_^l}uzmL%Ge14m!?_U*h^lg&mHh$gz
z76|_O_fh&a^P7<sHh%Rlyc&YOK6;FP&HQHNQX9YCzwQL?_lxvv<~JuRZTw!~cHhAL
zeu;j~{5H$wHh%S=i8KT~K7W~h&HUzNm5tvEUA=+(eVl&H{I<wy8^0HoiQli#ubJP1
zTxR2UNtyV4f_}~X7G;f%-;2w{?^o&9%x|l#weh>OO#FV0eog#laQ|wZjo(Yk#P2cs
zHS?R1P8+}aT|Es!Umty)e$D)5rOU>zez!<N(0;!`zh-`O(rx2czmTgTXusd2-}(IJ
zy}uvjaO}<F%irs5{OZ?MH3aSVN%}SOTaX4DzbhTP!TbFd{hIkL$_5+1&i6LUp#OfG
ze&_SsGCe-$obLf&VdHmone^YM=-13|POh}^tKaF@5cKi)JM?Sjw^<r({H}5J2JZK1
z`Ze>LmyI@l^=Td&g6_Z1(65=_7TId!cb%&@aKGQB-}(F&rq8eR>K6}Kv+=7>0@4t4
z|2<B>W`6Mm4jaGgUA=+(eU^Sr{1$KzD`Vrgp-lWfN55u%@gyu8zjzFm6M`O}zem4j
zezTIZ@vG0M(-5@Z=jqqXZ%&$R{9ftm4czbd>32TA#p&~BePSV=L}=qzpW3J)=>Gcy
z`Ze>5Ya|=L`g~#yLHqq7{hIl0k%EoiO|IU+{r-r4&HNUmXydo3O#Hq;zh-`m(rV*Z
zpV+J+=<)dk{hIl0mCZJOv##F2{k}-Q^ZCVpwBwb*nX~@9N0YSK_|>PvYY4jk{+NEv
z{AT1T8^6u2-oX9-gnrHZX60%dzxvRA4MF$cm+05bZ%(eU@vFb3q#<a(Kc(NZ`_&_^
zfBel!4u1i@*2Zta)f>3qpV6<G--5iw#&5Aq{QjJN&HNUn-Nvu~dyt-H=f|aHei!h+
z_xm`%pkFh;t#X}-U*9J`Nq_`MfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
WNPq-LfCNZ@1W14cNZ|j8z`p>&k=u0u

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx.golden.json
new file mode 100644
index 000000000000..4fab8875142f
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2012R2.evtx.golden.json
@@ -0,0 +1,4106 @@
+[
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "System",
+        "CategoryId": "%%8272",
+        "SubCategory": "Security State Change",
+        "SubcategoryGuid": "{0CCE9210-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12288",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15252,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "System",
+        "CategoryId": "%%8272",
+        "SubCategory": "Security System Extension",
+        "SubcategoryGuid": "{0CCE9211-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12289",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15253,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "System",
+        "CategoryId": "%%8272",
+        "SubCategory": "System Integrity",
+        "SubcategoryGuid": "{0CCE9212-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12290",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15254,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "System",
+        "CategoryId": "%%8272",
+        "SubCategory": "IPsec Driver",
+        "SubcategoryGuid": "{0CCE9213-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12291",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15255,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "System",
+        "CategoryId": "%%8272",
+        "SubCategory": "Other System Events",
+        "SubcategoryGuid": "{0CCE9214-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12292",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15256,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Logon",
+        "SubcategoryGuid": "{0CCE9215-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12544",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15257,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Logoff",
+        "SubcategoryGuid": "{0CCE9216-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12545",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15258,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Account Lockout",
+        "SubcategoryGuid": "{0CCE9217-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12546",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15259,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "IPsec Main Mode",
+        "SubcategoryGuid": "{0CCE9218-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12547",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15260,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Special Logon",
+        "SubcategoryGuid": "{0CCE921B-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12548",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15261,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "IPsec Quick Mode",
+        "SubcategoryGuid": "{0CCE9219-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12549",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15262,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "IPsec Extended Mode",
+        "SubcategoryGuid": "{0CCE921A-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12550",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15263,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Other Logon/Logoff Events",
+        "SubcategoryGuid": "{0CCE921C-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12551",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15264,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "Network Policy Server",
+        "SubcategoryGuid": "{0CCE9243-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12552",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15265,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Logon/Logoff",
+        "CategoryId": "%%8273",
+        "SubCategory": "User / Device Claims",
+        "SubcategoryGuid": "{0CCE9247-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12553",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15266,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "File System",
+        "SubcategoryGuid": "{0CCE921D-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12800",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15267,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Registry",
+        "SubcategoryGuid": "{0CCE921E-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12801",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15268,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Kernel Object",
+        "SubcategoryGuid": "{0CCE921F-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12802",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15269,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "SAM",
+        "SubcategoryGuid": "{0CCE9220-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12803",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15270,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Other Object Access Events",
+        "SubcategoryGuid": "{0CCE9227-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12804",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15271,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Certification Services",
+        "SubcategoryGuid": "{0CCE9221-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12805",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15272,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Application Generated",
+        "SubcategoryGuid": "{0CCE9222-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12806",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15273,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Handle Manipulation",
+        "SubcategoryGuid": "{0CCE9223-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12807",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15274,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "File Share",
+        "SubcategoryGuid": "{0CCE9224-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12808",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15275,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Filtering Platform Packet Drop",
+        "SubcategoryGuid": "{0CCE9225-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12809",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15276,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Filtering Platform Connection ",
+        "SubcategoryGuid": "{0CCE9226-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12810",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15277,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Detailed File Share",
+        "SubcategoryGuid": "{0CCE9244-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12811",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15278,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Removable Storage",
+        "SubcategoryGuid": "{0CCE9245-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12812",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15279,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Central Policy Staging",
+        "SubcategoryGuid": "{0CCE9246-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%12813",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15280,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Privilege Use",
+        "CategoryId": "%%8275",
+        "SubCategory": "Sensitive Privilege Use",
+        "SubcategoryGuid": "{0CCE9228-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13056",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15281,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Privilege Use",
+        "CategoryId": "%%8275",
+        "SubCategory": "Non Sensitive Privilege Use",
+        "SubcategoryGuid": "{0CCE9229-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13057",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15282,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Privilege Use",
+        "CategoryId": "%%8275",
+        "SubCategory": "Other Privilege Use Events",
+        "SubcategoryGuid": "{0CCE922A-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13058",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15283,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Detailed Tracking",
+        "CategoryId": "%%8276",
+        "SubCategory": "Process Creation",
+        "SubcategoryGuid": "{0CCE922B-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13312",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15284,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Detailed Tracking",
+        "CategoryId": "%%8276",
+        "SubCategory": "Process Termination",
+        "SubcategoryGuid": "{0CCE922C-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13313",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15285,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Detailed Tracking",
+        "CategoryId": "%%8276",
+        "SubCategory": "DPAPI Activity",
+        "SubcategoryGuid": "{0CCE922D-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13314",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15286,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Detailed Tracking",
+        "CategoryId": "%%8276",
+        "SubCategory": "RPC Events",
+        "SubcategoryGuid": "{0CCE922E-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13315",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15287,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Detailed Tracking",
+        "CategoryId": "%%8276",
+        "SubCategory": "Plug and Play Events",
+        "SubcategoryGuid": "{0CCE9248-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13316",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15288,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "Audit Policy Change",
+        "SubcategoryGuid": "{0CCE922F-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13568",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15289,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "Authentication Policy Change",
+        "SubcategoryGuid": "{0CCE9230-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13569",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15290,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "Authorization Policy Change",
+        "SubcategoryGuid": "{0CCE9231-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13570",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15291,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "MPSSVC Rule-Level Policy Change",
+        "SubcategoryGuid": "{0CCE9232-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13571",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15292,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "Filtering Platform Policy Change",
+        "SubcategoryGuid": "{0CCE9233-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13572",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15293,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Policy Change",
+        "CategoryId": "%%8277",
+        "SubCategory": "Other Policy Change Events",
+        "SubcategoryGuid": "{0CCE9234-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13573",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15294,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "User Account Management",
+        "SubcategoryGuid": "{0CCE9235-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13824",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15295,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "Computer Account Management",
+        "SubcategoryGuid": "{0CCE9236-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13825",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15296,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "Security Group Management",
+        "SubcategoryGuid": "{0CCE9237-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13826",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15297,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "Distribution Group Management",
+        "SubcategoryGuid": "{0CCE9238-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13827",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15298,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "Application Group Management",
+        "SubcategoryGuid": "{0CCE9239-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13828",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15299,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8278",
+        "SubCategory": "Other Account Management Events",
+        "SubcategoryGuid": "{0CCE923A-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%13829",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15300,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8279",
+        "SubCategory": "Directory Service Access",
+        "SubcategoryGuid": "{0CCE923B-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14080",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15301,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8279",
+        "SubCategory": "Directory Service Changes",
+        "SubcategoryGuid": "{0CCE923C-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14081",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15302,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8279",
+        "SubCategory": "Directory Service Replication",
+        "SubcategoryGuid": "{0CCE923D-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14082",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15303,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Management",
+        "CategoryId": "%%8279",
+        "SubCategory": "Detailed Directory Service Replication",
+        "SubcategoryGuid": "{0CCE923E-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14083",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15304,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Logon",
+        "CategoryId": "%%8280",
+        "SubCategory": "Credential Validation",
+        "SubcategoryGuid": "{0CCE923F-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14336",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15305,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Logon",
+        "CategoryId": "%%8280",
+        "SubCategory": "Kerberos Service Ticket Operations",
+        "SubcategoryGuid": "{0CCE9240-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14337",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15306,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Logon",
+        "CategoryId": "%%8280",
+        "SubCategory": "Other Account Logon Events",
+        "SubcategoryGuid": "{0CCE9241-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14338",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15307,
+      "task": "Audit Policy Change"
+    }
+  },
+  {
+    "@timestamp": "2021-01-26T15:30:53.5921459Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT-2012-R2",
+      "id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant-2012-r2",
+      "event_data": {
+        "AuditPolicyChanges": "%%8455",
+        "AuditPolicyChangesDescription": [
+          "Success exclude added"
+        ],
+        "Category": "Account Logon",
+        "CategoryId": "%%8280",
+        "SubCategory": "Kerberos Authentication Service",
+        "SubcategoryGuid": "{0CCE9242-69AE-11D9-BED3-505054503030}",
+        "SubcategoryId": "%%14339",
+        "SubjectDomainName": "VAGRANT-2012-R2",
+        "SubjectLogonId": "0x1c4f3",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001",
+        "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x1c4f3"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 492,
+        "thread": {
+          "id": 3032
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 15308,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file