From b59c1eddc171735f3217a7dec826d970abc5cb90 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 5 Mar 2025 12:49:35 +0100 Subject: [PATCH] Fix boolean key in security pipelines and sync pipelines with integration. (#43027) (cherry picked from commit 7237209ca708ecd04ceb950348a66806ce35a6f0) # Conflicts: # x-pack/winlogbeat/module/security/ingest/security.yml --- CHANGELOG.next.asciidoc | 5 + .../module/powershell/ingest/powershell.yml | 2 +- .../ingest/powershell_operational.yml | 2 +- .../module/routing/ingest/routing.yml | 36 +- .../module/security/ingest/security.yml | 443 +- .../security/ingest/security_standard.yml | 4248 +++++++++++++++++ .../module/sysmon/ingest/sysmon.yml | 2 +- 7 files changed, 4322 insertions(+), 416 deletions(-) create mode 100644 x-pack/winlogbeat/module/security/ingest/security_standard.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d7980d1ae257..2a1f53d13b28 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -161,6 +161,11 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Winlogbeat* +- Fix message handling in the experimental api. {issue}19338[19338] {pull}41730[41730] +- Sync missing changes in modules pipelines. {pull}42619[42619] +- Reset EventLog if error EOF is encountered. {pull}42826[42826] +- Implement backoff on error retrial. {pull}42826[42826] +- Fix boolean key in security pipelines and sync pipelines with integration. {pull}43027[43027] *Elastic Logging Plugin* diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml index d14a9e25aa32..7cde92f7cb04 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml @@ -46,7 +46,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml index 206d25db3de8..a514f85b5fb7 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml @@ -26,7 +26,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml index 9c00e19e1603..945408bed4c8 100644 --- a/x-pack/winlogbeat/module/routing/ingest/routing.yml +++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml @@ -16,6 +16,7 @@ processors: - pipeline: name: '{< IngestPipeline "powershell_operational" >}' if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-powershell/operational' + - set: field: host.os.type value: windows @@ -25,8 +26,39 @@ processors: value: windows override: false + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + - convert: + field: error.code + type: string + ignore_missing: true + on_failure: - set: + field: event.kind + value: pipeline_error + - append: field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index c4512e3bc1ff..cb4dea6e9276 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for Windows Security events +description: Pipeline for Security events processors: - set: field: event.module @@ -8,6 +8,7 @@ processors: field: event.code type: string ignore_missing: true +<<<<<<< HEAD - script: lang: painless ignore_failure: false @@ -3785,12 +3786,36 @@ processors: ctx.winlog?.event_data?.OldTargetUserName != null && ctx.winlog.event_data.OldTargetUserName != "-" +======= + - pipeline: + name: '{< IngestPipeline "security_standard" >}' + if: 'ctx.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' +>>>>>>> 7237209ca (Fix boolean key in security pipelines and sync pipelines with integration. (#43027)) - gsub: field: source.ip pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' replacement: '$1' ignore_missing: true - + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - append: field: related.ip value: '{{source.ip}}' @@ -3798,424 +3823,23 @@ processors: if: |- ctx.source?.ip != null && ctx.source.ip != "-" - - - script: - lang: painless - ignore_failure: false - tag: Object Policy Change and SidListDesc - description: Object Policy Change and SidListDesc - # SDDL Ace Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # SDDL Permissions - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # Known SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - # Domain-specific SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - # Object Permission Flags - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - AccountSIDDescription: - AO: Account operators - RU: Alias to allow previous Windows 2000 - AN: Anonymous logon - AU: Authenticated users - BA: Built-in administrators - BG: Built-in guests - BO: Backup operators - BU: Built-in users - CA: Certificate server administrators - CG: Creator group - CO: Creator owner - DA: Domain administrators - DC: Domain computers - DD: Domain controllers - DG: Domain guests - DU: Domain users - EA: Enterprise administrators - ED: Enterprise domain controllers - WD: Everyone - PA: Group Policy administrators - IU: Interactively logged-on user - LA: Local administrator - LG: Local guest - LS: Local service account - SY: Local system - NU: Network logon user - NO: Network configuration operators - NS: Network service account - PO: Printer operators - PS: Personal self - PU: Power users - RS: RAS servers group - RD: Terminal server users - RE: Replicator - RC: Restricted code - SA: Schema administrators - SO: Server operators - SU: Service logon user - S-1-0: Null Authority - S-1-0-0: Nobody - S-1-1: World Authority - S-1-1-0: Everyone - S-1-16-0: Untrusted Mandatory Level - S-1-16-12288: High Mandatory Level - S-1-16-16384: System Mandatory Level - S-1-16-20480: Protected Process Mandatory Level - S-1-16-28672: Secure Process Mandatory Level - S-1-16-4096: Low Mandatory Level - S-1-16-8192: Medium Mandatory Level - S-1-16-8448: Medium Plus Mandatory Level - S-1-2: Local Authority - S-1-2-0: Local - S-1-2-1: Console Logon - S-1-3: Creator Authority - S-1-3-0: Creator Owner - S-1-3-1: Creator Group - S-1-3-2: Creator Owner Server - S-1-3-3: Creator Group Server - S-1-3-4: Owner Rights - S-1-4: Non-unique Authority - S-1-5: NT Authority - S-1-5-1: Dialup - S-1-5-10: Principal Self - S-1-5-11: Authenticated Users - S-1-5-12: Restricted Code - S-1-5-13: Terminal Server Users - S-1-5-14: Remote Interactive Logon - S-1-5-15: This Organization - S-1-5-17: This Organization - S-1-5-18: Local System - S-1-5-19: NT Authority - S-1-5-2: Network - S-1-5-20: NT Authority - S-1-5-3: Batch - S-1-5-32-544: Administrators - S-1-5-32-545: Users - S-1-5-32-546: Guests - S-1-5-32-547: Power Users - S-1-5-32-548: Account Operators - S-1-5-32-549: Server Operators - S-1-5-32-550: Print Operators - S-1-5-32-551: Backup Operators - S-1-5-32-552: Replicators - S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access - S-1-5-32-555: Builtin\Remote Desktop Users - S-1-5-32-556: Builtin\Network Configuration Operators - S-1-5-32-557: Builtin\Incoming Forest Trust Builders - S-1-5-32-558: Builtin\Performance Monitor Users - S-1-5-32-559: Builtin\Performance Log Users - S-1-5-32-560: Builtin\Windows Authorization Access Group - S-1-5-32-561: Builtin\Terminal Server License Servers - S-1-5-32-562: Builtin\Distributed COM Users - S-1-5-32-569: Builtin\Cryptographic Operators - S-1-5-32-573: Builtin\Event Log Readers - S-1-5-32-574: Builtin\Certificate Service DCOM Access - S-1-5-32-575: Builtin\RDS Remote Access Servers - S-1-5-32-576: Builtin\RDS Endpoint Servers - S-1-5-32-577: Builtin\RDS Management Servers - S-1-5-32-578: Builtin\Hyper-V Administrators - S-1-5-32-579: Builtin\Access Control Assistance Operators - S-1-5-32-580: Builtin\Remote Management Users - S-1-5-32-582: Storage Replica Administrators - S-1-5-4: Interactive - S-1-5-5-X-Y: Logon Session - S-1-5-6: Service - S-1-5-64-10: NTLM Authentication - S-1-5-64-14: SChannel Authentication - S-1-5-64-21: Digest Authentication - S-1-5-7: Anonymous - S-1-5-8: Proxy - S-1-5-80: NT Service - S-1-5-80-0: All Services - S-1-5-83-0: NT Virtual Machine\Virtual Machines - S-1-5-9: Enterprise Domain Controllers - S-1-5-90-0: Windows Manager\Windows Manager Group - AceTypes: - A: Access Allowed - D: Access Denied - OA: Object Access Allowed - OD: Object Access Denied - AU: System Audit - AL: System Alarm - OU: System Object Audit - OL: System Object Alarm - ML: System Mandatory Label - SP: Central Policy ID - DomainSpecificSID: - "498": Enterprise Read-only Domain Controllers - "500": Administrator - "501": Guest - "502": KRBTGT - "512": Domain Admins - "513": Domain Users - "514": Domain Guests - "515": Domain Computers - "516": Domain Controllers - "517": Cert Publishers - "518": Schema Admins - "519": Enterprise Admins - "520": Group Policy Creator Owners - "521": Read-only Domain Controllers - "522": Cloneable Domain Controllers - "526": Key Admins - "527": Enterprise Key Admins - "553": RAS and IAS Servers - "571": Allowed RODC Password Replication Group - "572": Denied RODC Password Replication Group - PermissionDescription: - GA: Generic All - GR: Generic Read - GW: Generic Write - GX: Generic Execute - RC: Read Permissions - SD: Delete - WD: Modify Permissions - WO: Modify Owner - RP: Read All Properties - WP: Write All Properties - CC: Create All Child Objects - DC: Delete All Child Objects - LC: List Contents - SW: All Validated - LO: List Object - DT: Delete Subtree - CR: All Extended Rights - FA: File All Access - FR: File Generic Read - FX: FILE GENERIC EXECUTE - FW: FILE GENERIC WRITE - KA: KEY ALL ACCESS - KR: KEY READ - KW: KEY WRITE - KX: KEY EXECUTE - PermsFlags: - "0x80000000": 'Generic Read' - "0x4000000": 'Generic Write' - "0x20000000": 'Generic Execute' - "0x10000000": 'Generic All' - "0x02000000": 'Maximum Allowed' - "0x01000000": 'Access System Security' - "0x00100000": 'Syncronize' - "0x00080000": 'Write Owner' - "0x00040000": 'Write DACL' - "0x00020000": 'Read Control' - "0x00010000": 'Delete' - source: |- - ArrayList translatePermissionMask(def mask, def params) { - ArrayList al = new ArrayList(); - Long permCode = Long.decode(mask); - for (entry in params.PermsFlags.entrySet()) { - Long permFlag = Long.decode(entry.getKey()); - if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { - al.add(entry.getValue()); - } - } - if (al.length == 0) { - al.add(mask); - } - return al; - } - - HashMap translateACL(def dacl, def params) { - def aceArray = dacl.splitOnToken(";"); - HashMap hm = new HashMap(); - - if (aceArray.length >= 6 ) { - hm.put("grantee", translateSID(aceArray[5], params)); - } - - if (aceArray.length >= 1) { - hm.put("type", params.AceTypes[aceArray[0]]); - } - - if (aceArray.length >= 3) { - if (aceArray[2].startsWith("0x")) { - hm.put("perms", translatePermissionMask(aceArray[2], params)); - } else { - ArrayList al = new ArrayList(); - Pattern permPattern = /.{1,2}/; - Matcher permMatcher = permPattern.matcher(aceArray[2]); - while (permMatcher.find()) { - al.add(params.PermissionDescription[permMatcher.group(0)]); - } - hm.put("perms", al); - } - } - return hm; - } - String translateSID(def sid, def params) { - if (!params.AccountSIDDescription.containsKey(sid)) { - if (sid.startsWith("S-1-5-21")) { - Pattern uidPattern = /[0-9]{1,5}$/; - Matcher uidMatcher = uidPattern.matcher(sid); - if (uidMatcher.find()) { - return params.DomainSpecificSID[uidMatcher.group(0)]; - } - return sid; - } - return sid; - } - return params.AccountSIDDescription[sid]; - } - - void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { - Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; - Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); - if (sdOwnerMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); - } - - Pattern sdGroupPattern = /^G\:[A-Z]{2}/; - Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); - if (sdGroupMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); - } - - Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; - Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); - if (sdDaclMatcher.find()) { - Pattern dacListPattern = /\([^*\)]*\)/; - Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); - for (def i = 0; dacListMatcher.find(); i++) { - def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newDacl['grantee'])) { - ctx.related.user.add(newDacl['grantee']); - } - } - } - } - - Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; - Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); - if (sdSaclMatcher.find()) { - Pattern sacListPattern = /\([^*\)]*\)/; - Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); - for (def i = 0; sacListMatcher.find(); i++) { - def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newSacl['grantee'])) { - ctx.related.user.add(newSacl['grantee']); - } - } - } - } - } - - void splitSidList(def sids, def params, def ctx) { - ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); - ctx.winlog.event_data.put("SidList", sidList); - for (def i = 0; i < sidList.length; i++ ) { - al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); - } - ctx.winlog.event_data.put("SidListDesc", al); - } - - if (ctx.event?.code == null || - !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.OldSd != null) { - enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); - } - if (ctx.winlog?.event_data?.NewSd != null) { - enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); - } - if (ctx.winlog?.event_data?.SidList != null) { - splitSidList(ctx.winlog.event_data.SidList, params, ctx); - } - - - set: - field: file.name - copy_from: winlog.event_data.RelativeTargetName - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.RelativeTargetName != null && - ctx.winlog.event_data.RelativeTargetName != "" - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.path - value: "{{file.directory}}\\{{file.name}}" - if: ctx.file?.name != null && ctx.file?.directory != null - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.target_path - value: "{{winlog.event_data.ShareName}}\\{{file.name}}" - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareName != null && - ctx.winlog.event_data.ShareName != "" && - ctx.file?.name != null - - script: - description: Adds file information. - lang: painless - if: ctx.file?.name != null - source: |- - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - convert: field: winlog.record_id type: string ignore_missing: true - - convert: field: winlog.event_id type: string ignore_missing: true - - set: field: ecs.version - value: '8.0.0' - + value: '8.17.0' - set: field: log.level copy_from: winlog.level ignore_empty_value: true ignore_failure: true if: ctx.winlog?.level != "" - - date: field: winlog.time_created tag: "time_created_date" @@ -4231,17 +3855,14 @@ processors: value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - fail: message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - - #Cleanup _temp fields as it is not needed anymore - - remove: - field: _temp + - convert: + field: error.code + type: string ignore_missing: true - ignore_failure: true - on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/winlogbeat/module/security/ingest/security_standard.yml b/x-pack/winlogbeat/module/security/ingest/security_standard.yml new file mode 100644 index 000000000000..68e74d61f1e1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/ingest/security_standard.yml @@ -0,0 +1,4248 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4662": + category: + - iam + - configuration + type: + - admin + - change + action: object-operation-performed + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4797": + category: + - iam + type: + - user + - info + action: query-existence-of-blank-password + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + "5136": + category: + - iam + - configuration + type: + - admin + - change + action: directory-service-object-modified + "5140": + category: + - network + - file + type: + - info + - access + action: network-share-object-accessed + "5145": + category: + - network + - file + type: + - info + - access + action: network-share-object-access-checked + "5379": + category: + - iam + type: + - user + - info + action: credential-manager-credentials-were-read + "5380": + category: + - iam + type: + - user + - info + action: vault-credential-find + "5381": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5382": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + source: |- + if (ctx.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + params.get(ctx.event.code).forEach((k, v) -> { + if (v instanceof List) { + ctx.event[k] = new ArrayList(v); + } else { + ctx.event[k] = v; + } + }); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + # Logon Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 + params: + "0x00000001": USER_ACCOUNT_DISABLED + "0x00000002": USER_HOME_DIRECTORY_REQUIRED + "0x00000004": USER_PASSWORD_NOT_REQUIRED + "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT + "0x00000010": USER_NORMAL_ACCOUNT + "0x00000020": USER_MNS_LOGON_ACCOUNT + "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT + "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT + "0x00000100": USER_SERVER_TRUST_ACCOUNT + "0x00000200": USER_DONT_EXPIRE_PASSWORD + "0x00000400": USER_ACCOUNT_AUTO_LOCKED + "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED + "0x00001000": USER_SMARTCARD_REQUIRED + "0x00002000": USER_TRUSTED_FOR_DELEGATION + "0x00004000": USER_NOT_DELEGATED + "0x00008000": USER_USE_DES_KEY_ONLY + "0x00010000": USER_DONT_REQUIRE_PREAUTH + "0x00020000": USER_PASSWORD_EXPIRED + "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION + "0x00080000": USER_NO_AUTH_DATA_REQUIRED + "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT + "0x00200000": USER_USE_AES_KEYS + source: |- + if (ctx.winlog?.event_data == null) { + return; + } + if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + # Kerberos TGT and TGS Ticket Options + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx.winlog?.event_data?.ServiceName != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx.winlog.event_data?.ServiceType != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + reversed_descriptions: + "..." : ["1831"] + "3DES" : ["8196","16399"] + "64-bit Integer" : ["1820"] + "" : ["14672"] + "" : ["1800"] + "" : ["1794"] + "" : ["1793"] + "ACCESS_SYS_SEC" : ["1542"] + "AES-128" : ["16400","8235"] + "AES-192" : ["8236","16401"] + "AES-256" : ["16402","8237"] + "AES-GCM 128" : ["16395"] + "AES-GCM 192" : ["16396"] + "AES-GCM 256" : ["16397"] + "AES-GMAC 128" : ["16407"] + "AES-GMAC 192" : ["16408"] + "AES-GMAC 256" : ["16409"] + "Access Clipboard" : ["6658"] + "Access global atoms" : ["6661"] + "Account Disabled" : ["2080"] + "Account Enabled" : ["2048"] + "Account Locked" : ["2090"] + "Account Lockout" : ["12546"] + "Account Logon" : ["8280"] + "Account Management" : ["8278"] + "Account Unlocked" : ["2058"] + "Account currently disabled." : ["2310"] + "Account locked out." : ["2307"] + "Account logon time restriction violation." : ["2311"] + "Active Directory Domain Services" : ["14676"] + "Active Directory Lightweight Directory Services" : ["14677"] + "Add" : ["16384"] + "Add context." : ["2491"] + "Add function property." : ["2497"] + "Add function provider." : ["2495"] + "Add function." : ["2493"] + "Add provider." : ["2489"] + "AddMember" : ["5410","5424"] + "AdjustDefaultDacl" : ["4599"] + "AdjustGroups" : ["4598"] + "AdjustPrivileges" : ["4597"] + "AdjustSessionID" : ["4600"] + "Administer Document" : ["6948"] + "Administer audit log attributes" : ["5641"] + "Administer print server" : ["6912"] + "AdministerServer" : ["5402"] + "All" : ["1797"] + "An Error occured during Logon." : ["2304"] + "Anonymous" : ["8224"] + "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] + "Application Generated" : ["12806"] + "Application Group Management" : ["13828"] + "Assign Primary Token Privilege" : ["1603"] + "Assign a token to the thread" : ["4567"] + "Assign process" : ["5136"] + "AssignAsPrimary" : ["4592"] + "Audit Enumerate Users" : ["7940"] + "Audit Policy Change" : ["13568"] + "Audit Policy query/set API Operation" : ["1799"] + "Audit Query Options" : ["7942"] + "Audit Query Per User Policy" : ["7939"] + "Audit Query System Policy" : ["7937"] + "Audit Set Options" : ["7941"] + "Audit Set Per User Policy" : ["7938"] + "Audit Set System Policy" : ["7936"] + "AuthIP" : ["8223"] + "AuthNoEncap Transport" : ["16416"] + "Authentication Policy Change" : ["13569"] + "Authentication payload sent" : ["8246"] + "Authorization Policy Change" : ["13570"] + "Auto" : ["1849"] + "Backup Privilege" : ["1617"] + "Bidirectional" : ["14595"] + "Bind Redirect" : ["14617"] + "Blob" : ["1822"] + "Block" : ["16389"] + "Boolean" : ["1824"] + "Boot-time" : ["16386"] + "CGA" : ["8226"] + "Callout" : ["16391"] + "Cause thread to directly impersonate another thread" : ["4568"] + "Central Policy Staging" : ["12813"] + "Certificate" : ["8227"] + "Certificate ECDSA P256" : ["8238"] + "Certificate ECDSA P384" : ["8239"] + "Certification Services" : ["12805"] + "Change Hardware Environment Privilege" : ["1622"] + "Change Notify (and Traverse) Privilege" : ["1623"] + "Change logon capabilities assigned to account" : ["5683"] + "Change privileges assigned to account" : ["5681"] + "Change quotas assigned to account" : ["5682"] + "Change secret value" : ["5648"] + "Change system audit requirements" : ["5640"] + "Change the Posix ID offset assigned to the accounted domain" : ["5684"] + "Change the Posix ID offset assigned to the trusted domain" : ["5668"] + "Change the controllers in the trusted domain" : ["5666"] + "ChangeGroupMembership" : ["5450"] + "ChangePassword (with knowledge of old password)" : ["5446"] + "Channel query information" : ["5122"] + "Channel read message" : ["5120"] + "Channel set information" : ["5123"] + "Channel write message" : ["5121"] + "Communicate using port" : ["4464"] + "Complete" : ["8210"] + "Computer Account Management" : ["13825"] + "Connect" : ["14611"] + "Connect Redirect" : ["14616"] + "Connect to service controller" : ["7168"] + "ConnectToServer" : ["5376"] + "Control Access" : ["7688"] + "Control profile" : ["4496"] + "Create Child" : ["7680"] + "Create Key." : ["2481"] + "Create Link" : ["4437"] + "Create Pagefile Privilege" : ["1615"] + "Create Permanent Object Privilege" : ["1616"] + "Create a new service" : ["7169"] + "Create a privilege" : ["5638"] + "Create a secret object" : ["5637"] + "Create a subprocess of process" : ["4487"] + "Create desktop" : ["6659"] + "Create instance of object type" : ["4608"] + "Create menu" : ["6674"] + "Create new thread in process" : ["4481"] + "Create object in directory" : ["4370"] + "Create special accounts (for assignment of user rights)" : ["5636"] + "Create sub-directory" : ["4371"] + "Create sub-key" : ["4434"] + "Create window" : ["6673"] + "CreateDomain" : ["5379"] + "CreateGlobalGroup" : ["5397"] + "CreateLocalGroup" : ["5398"] + "CreateUser" : ["5396"] + "Credential Validation" : ["14336"] + "Credentials manager" : ["8097"] + "DDE Share Add Items" : ["7432"] + "DDE Share Advise" : ["7429"] + "DDE Share Execute" : ["7431"] + "DDE Share Initiate Link" : ["7427"] + "DDE Share Initiate Static" : ["7426"] + "DDE Share List Items" : ["7433"] + "DDE Share Poke" : ["7430"] + "DDE Share Read" : ["7424"] + "DDE Share Request" : ["7428"] + "DDE Share Write" : ["7425"] + "DELETE" : ["1537"] + "DES" : ["16398","8195"] + "DH group 1" : ["8230"] + "DH group 14" : ["8232"] + "DH group 2" : ["8231"] + "DH group 24" : ["8248"] + "DH group ECP 256" : ["8233"] + "DH group ECP 384" : ["8234"] + "DPAPI Activity" : ["13314"] + "DS Access" : ["8279"] + "Datagram Data" : ["14600"] + "Debug Privilege" : ["1620"] + "Decrypt." : ["2484"] + "Default" : ["1846"] + "Default credentials" : ["8096"] + "Delegation" : ["1840"] + "Delete" : ["16385"] + "Delete Child" : ["7681"] + "Delete Key." : ["2482"] + "Delete Tree" : ["7686"] + "Delete key file." : ["2457"] + "DeleteChild" : ["4422"] + "Denied by" : ["1802"] + "Denied by ACE on parent folder" : ["1812"] + "Denied by Empty DACL" : ["1807"] + "Denied by Integrity Policy check" : ["1803"] + "Denied by Process Trust Label ACE" : ["1841"] + "Detailed Directory Service Replication" : ["14083"] + "Detailed File Share" : ["12811"] + "Detailed Tracking" : ["8276"] + "Device Access Bit 0" : ["4352"] + "Device Access Bit 1" : ["4353"] + "Device Access Bit 2" : ["4354"] + "Device Access Bit 3" : ["4355"] + "Device Access Bit 4" : ["4356"] + "Device Access Bit 5" : ["4357"] + "Device Access Bit 6" : ["4358"] + "Device Access Bit 7" : ["4359"] + "Device Access Bit 8" : ["4360"] + "Directly impersonate this thread" : ["4569"] + "Directory Service Access" : ["14080"] + "Directory Service Changes" : ["14081"] + "Directory Service Replication" : ["14082"] + "Disabled" : ["1796"] + "DisallowMmConfig" : ["1847"] + "Distribution Group Management" : ["13827"] + "Domain settings" : ["2487"] + "Domain sid inconsistent." : ["2314"] + "Don't Expire Password' - Disabled" : ["2057"] + "Don't Expire Password' - Enabled" : ["2089"] + "Don't Require Preauth' - Disabled" : ["2064"] + "Don't Require Preauth' - Enabled" : ["2096"] + "Duplicate" : ["4593"] + "Duplicate handle into or out of process" : ["4486"] + "EAP" : ["8247"] + "EAP payload sent" : ["8245"] + "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] + "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] + "Enable WMI Account" : ["16896"] + "Enable/Disable LSA" : ["5642"] + "Enabled" : ["1795","8216"] + "Encrypt." : ["2483"] + "Encrypted Text Password Allowed' - Disabled" : ["2059"] + "Encrypted Text Password Allowed' - Enabled" : ["2091"] + "Endpoint Closure" : ["14615"] + "Enumerate dependencies of service" : ["7187"] + "Enumerate desktops" : ["6656"] + "Enumerate printers" : ["6913"] + "Enumerate services" : ["7170"] + "Enumerate sub-keys" : ["4435"] + "EnumerateDomains" : ["5380"] + "Exclude Authorization Information' - Disabled" : ["2067"] + "Exclude Authorization Information' - Enabled" : ["2099"] + "Execute Method" : ["16897"] + "Execute/Traverse" : ["4421"] + "Existing registry value modified" : ["1905"] + "Exit windows" : ["6662"] + "Export of persistent cryptographic key." : ["2464"] + "Extend size" : ["4516"] + "FALSE" : ["1826"] + "FQBN" : ["1821"] + "Failed to unprotect persistent cryptographic key." : ["2448"] + "Failed to zero secret data." : ["2438"] + "Failure Added" : ["8451"] + "Failure exclude added" : ["8459"] + "Failure exclude removed" : ["8458"] + "Failure include added" : ["8457"] + "Failure include removed" : ["8456"] + "Failure removed" : ["8450"] + "File Share" : ["12808"] + "File System" : ["12800"] + "Filtering Platform Connection" : ["12810"] + "Filtering Platform Packet Drop" : ["12809"] + "Filtering Platform Policy Change" : ["13572"] + "Flow Established" : ["14612"] + "Force process termination" : ["4480"] + "Force thread termination" : ["4560"] + "Forward" : ["14598","14594"] + "Fresh credentials" : ["8098"] + "Friday" : ["1925"] + "Full Control" : ["6930"] + "Full Write" : ["16898"] + "Get sensitive policy information" : ["5634"] + "Get thread context" : ["4563"] + "GetLocalGroupMembership" : ["5399"] + "Granted by" : ["1801"] + "Granted by ACE on parent folder" : ["1811"] + "Granted by Central Access Rule" : ["1813"] + "Granted by NULL DACL" : ["1806"] + "Granted by NULL Security Descriptor" : ["1808"] + "Granted by Ownership" : ["1804"] + "Granted by parent folder's Central Access Rule" : ["1815"] + "Group Membership" : ["12554"] + "Handle Manipulation" : ["12807"] + "Home Directory Required' - Disabled" : ["2049"] + "Home Directory Required' - Enabled" : ["2081"] + "Hook control" : ["6675"] + "ICMP Echo-Request" : ["14640"] + "ICMP Error" : ["14601"] + "IKE/AuthIP DoS prevention mode started" : ["8214"] + "IKE/AuthIP DoS prevention mode stopped" : ["8215"] + "IKEv1" : ["8222"] + "IKEv2" : ["8244"] + "IP Packet" : ["14596"] + "IPsec Driver" : ["12291"] + "IPsec Extended Mode" : ["12550"] + "IPsec Main Mode" : ["12547"] + "IPsec Quick Mode" : ["12549"] + "Identification" : ["1832"] + "Impersonate" : ["4594"] + "Impersonation" : ["1833"] + "Import of persistent cryptographic key." : ["2465"] + "Inbound" : ["14592"] + "Include this desktop in enumerations" : ["6678"] + "Include this windowstation in enumerations" : ["6664"] + "Increase Memory Quota Privilege" : ["1605"] + "Increment Base Priority Privilege" : ["1614"] + "InitializeServer" : ["5378"] + "Initiator" : ["8205","16406"] + "Interdomain Trust Account' - Disabled" : ["2054"] + "Interdomain Trust Account' - Enabled" : ["2086"] + "Invalid" : ["1827"] + "Issue service-specific control commands" : ["7192"] + "Journal (playback)" : ["6677"] + "Journal (record)" : ["6676"] + "Kerberos" : ["8192"] + "Kerberos Authentication Service" : ["14339"] + "Kerberos Service Ticket Operations" : ["14337"] + "Kernel Object" : ["12802"] + "Key Derivation." : ["2501"] + "Key export checks failed." : ["2449"] + "Key failed pair wise consistency check." : ["2439"] + "KeyedEvent Wait" : ["5696"] + "KeyedEvent Wake" : ["5697"] + "List Contents" : ["7682"] + "List Object" : ["7687"] + "ListAccounts" : ["5400"] + "ListGroups" : ["5448"] + "ListMembers" : ["5412","5426"] + "Listen" : ["14609"] + "Load/Unload Driver Privilege" : ["1610"] + "Local computer" : ["8199"] + "Local settings" : ["2488"] + "Lock Memory Privilege" : ["1604"] + "Lock service database for exclusive access" : ["7171"] + "Logoff" : ["12545"] + "Logon" : ["12544"] + "Logon/Logoff" : ["8273"] + "Lookup Names/SIDs" : ["5643"] + "LookupDomain" : ["5381"] + "LookupIDs" : ["5401"] + "MAC 802.3" : ["14602"] + "MAC Native" : ["14603"] + "MAX_ALLOWED" : ["1543"] + "MD5" : ["16392","8197"] + "MNS Logon Account' - Disabled" : ["2053"] + "MNS Logon Account' - Enabled" : ["2085"] + "MPSSVC Rule-Level Policy Change" : ["13571"] + "Machine key." : ["2499"] + "Map section for execute" : ["4515"] + "Map section for read" : ["4514"] + "Map section for write" : ["4513"] + "Modify State" : ["4865"] + "Modify domain trust relationships" : ["5635"] + "Modify event state" : ["4385"] + "Modify semaphore state" : ["4529"] + "Modify timer state" : ["4577"] + "Monday" : ["1921"] + "NOT Granted by Central Access Rule" : ["1814"] + "NOT Granted by parent folder's Central Access Rule" : ["1816"] + "NTLM V2" : ["8225"] + "Network Policy Server" : ["12552"] + "New registry value created" : ["1904"] + "No" : ["14679","1843"] + "No state" : ["8207","8218","8201"] + "Non Sensitive Privilege Use" : ["13057"] + "None" : ["1798","8229"] + "Normal Account' - Disabled" : ["2052"] + "Normal Account' - Enabled" : ["2084"] + "Not Available" : ["1845"] + "Not Available." : ["2432"] + "Not Delegated' - Disabled" : ["2062"] + "Not Delegated' - Enabled" : ["2094"] + "Not enabled" : ["8217"] + "Not granted" : ["1805"] + "Not granted due to missing" : ["1810"] + "Not granted to AppContainers" : ["1830"] + "Not persistent" : ["16388"] + "Not used" : ["1601"] + "Notify about changes to keys" : ["4436"] + "Object Access" : ["8274"] + "Off" : ["1848"] + "Open Key." : ["2480"] + "Open key file." : ["2456"] + "Other Account Logon Events" : ["14338"] + "Other Account Management Events" : ["13829"] + "Other Logon/Logoff Events" : ["12551"] + "Other Object Access Events" : ["12804"] + "Other Policy Change Events" : ["13573"] + "Other Privilege Use Events" : ["13058"] + "Other System Events" : ["12292"] + "Outbound" : ["14593"] + "Partial Write" : ["16899"] + "Password Expired' - Disabled" : ["2065"] + "Password Expired' - Enabled" : ["2097"] + "Password Not Required' - Disabled" : ["2050"] + "Password Not Required' - Enabled" : ["2082"] + "Pause or continue the service" : ["7190"] + "Perform virtual memory operation" : ["4483"] + "Permit" : ["16390"] + "Persistent" : ["16387"] + "Plug and Play Events" : ["13316"] + "Policy Change" : ["8277"] + "Port sharing (read)" : ["8064"] + "Port sharing (write)" : ["8065"] + "Preshared key" : ["8193"] + "Print" : ["6931"] + "Privilege Use" : ["8275"] + "Process Creation" : ["13312"] + "Process Termination" : ["13313"] + "Profile Single Process Privilege" : ["1613"] + "Profile System Privilege" : ["1611"] + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] + "Provider Write" : ["16900"] + "Publish" : ["16903"] + "Query" : ["4595"] + "Query Attributes" : ["5138"] + "Query State" : ["4864"] + "Query account information" : ["5680"] + "Query directory" : ["4368"] + "Query event state" : ["4384"] + "Query information from service" : ["7191"] + "Query key value" : ["4432"] + "Query mutant state" : ["4448"] + "Query process information" : ["4490"] + "Query secret value" : ["5649"] + "Query section state" : ["4512"] + "Query semaphore state" : ["4528"] + "Query service configuration information" : ["7184"] + "Query service database lock state" : ["7172"] + "Query status of service" : ["7186"] + "Query the Posix ID offset assigned to the trusted domain" : ["5667"] + "Query thread information" : ["4566"] + "Query timer state" : ["4576"] + "Query trusted domain name/SID" : ["5664"] + "QuerySource" : ["4596"] + "READ_CONTROL" : ["1538"] + "REG_BINARY" : ["1875"] + "REG_DWORD" : ["1876"] + "REG_DWORD_BIG_ENDIAN" : ["1877"] + "REG_EXPAND_SZ" : ["1874"] + "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] + "REG_LINK" : ["1878"] + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] + "REG_NONE" : ["1872"] + "REG_QWORD" : ["1883"] + "REG_RESOURCE_LIST" : ["1880"] + "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] + "REG_SZ" : ["1873"] + "RPC Events" : ["13315"] + "Random number generation failed FIPS-140 pre-hash check." : ["2437"] + "Random number generator failure." : ["2436"] + "Read Objects" : ["6672"] + "Read Property" : ["7684"] + "Read attributes" : ["6657"] + "Read from process memory" : ["4484"] + "Read persisted key from file." : ["2458"] + "Read screen" : ["6665"] + "ReadAccount" : ["5444"] + "ReadAttributes" : ["4423"] + "ReadData (or ListDirectory)" : ["4416"] + "ReadEA" : ["4419"] + "ReadGeneralInformation" : ["5440"] + "ReadGroupMembership" : ["5449"] + "ReadInformation" : ["5427","5408"] + "ReadLogon" : ["5443"] + "ReadOtherParameters" : ["5394"] + "ReadPasswordParameters" : ["5392"] + "ReadPreferences" : ["5441"] + "Receive/Accept" : ["14610"] + "Registry" : ["12801"] + "Registry value deleted" : ["1906"] + "Remote Access" : ["16901"] + "Remote computer" : ["8200"] + "Remotely Shut System Down Privilege" : ["1624"] + "Removable Storage" : ["12812"] + "Remove context." : ["2492"] + "Remove function property." : ["2498"] + "Remove function provider." : ["2496"] + "Remove function." : ["2494"] + "Remove provider." : ["2490"] + "RemoveMember" : ["5425","5411"] + "Resource Assignment" : ["14608"] + "Resource Release" : ["14614"] + "Responder" : ["16405","8206"] + "Restore From Backup Privilege" : ["1618"] + "Retrieve the controllers in the trusted domain" : ["5665"] + "SAM" : ["12803"] + "SHA 256" : ["8242"] + "SHA 384" : ["8243"] + "SHA-1" : ["16393"] + "SHA-256" : ["16394"] + "SHA1" : ["8198"] + "SSL" : ["8228"] + "SSL ECDSA P256" : ["8240"] + "SSL ECDSA P384" : ["8241"] + "SYNCHRONIZE" : ["1541"] + "Saturday" : ["1926"] + "Secret agreement." : ["2486"] + "Security Group Management" : ["13826"] + "Security Privilege" : ["1608"] + "Security State Change" : ["12288"] + "Security System Extension" : ["12289"] + "Send an alert to thread" : ["4562"] + "Sensitive Privilege Use" : ["13056"] + "Sent final payload" : ["8209"] + "Sent first (EM attributes) payload" : ["8219"] + "Sent first (SA) payload" : ["8208","8202"] + "Sent second (KE) payload" : ["8203"] + "Sent second (SSPI) payload" : ["8220"] + "Sent third (ID) payload" : ["8204"] + "Sent third (hash) payload" : ["8221"] + "Server Trust Account' - Disabled" : ["2056"] + "Server Trust Account' - Enabled" : ["2088"] + "Set Attributes" : ["5137"] + "Set Security Attributes" : ["5140"] + "Set System Time Privilege" : ["1612"] + "Set default quota limits" : ["5639"] + "Set key value" : ["4433"] + "Set last-known-good state of service database" : ["7173"] + "Set process information" : ["4489"] + "Set process quotas" : ["4488"] + "Set process session ID" : ["4482"] + "Set process termination port" : ["4491"] + "Set service configuration information" : ["7185"] + "Set thread context" : ["4564"] + "Set thread information" : ["4565"] + "SetPassword (without knowledge of old password)" : ["5447"] + "Shutdown System Privilege" : ["1619"] + "ShutdownServer" : ["5377"] + "Sid" : ["1823"] + "Sign hash." : ["2485"] + "Signature verification failed." : ["2451"] + "Smartcard Required' - Disabled" : ["2060"] + "Smartcard Required' - Enabled" : ["2092"] + "Smartcard logon is required and was not used." : ["2315"] + "Special Logon" : ["12548"] + "Start the service" : ["7188"] + "Stop the service" : ["7189"] + "Stream" : ["14599"] + "Stream Packet" : ["14624"] + "String" : ["1818"] + "Subscribe" : ["16902"] + "Success Added" : ["8449"] + "Success exclude added" : ["8455"] + "Success exclude removed" : ["8454"] + "Success include added" : ["8453"] + "Success include removed" : ["8452"] + "Success removed" : ["8448"] + "Sunday" : ["1920"] + "Suspend or resume thread" : ["4561"] + "Switch to this desktop" : ["6680"] + "System" : ["1844","8272"] + "System Integrity" : ["12290"] + "TRUE" : ["1825"] + "Take Ownership Privilege" : ["1609"] + "Temp Duplicate Account' - Disabled" : ["2051"] + "Temp Duplicate Account' - Enabled" : ["2083"] + "Terminate Job" : ["5139"] + "The NetLogon component is not active." : ["2306"] + "The specified account's password has expired." : ["2309"] + "The specified user account has expired." : ["2305"] + "The user has not been granted the requested logon type at this machine." : ["2308"] + "Thursday" : ["1924"] + "Token Right Adjusted Events" : ["13317"] + "TokenElevationTypeDefault (1)" : ["1936"] + "TokenElevationTypeFull (2)" : ["1937"] + "TokenElevationTypeLimited (3)" : ["1938"] + "Transport" : ["14597","16403","8212"] + "Traverse" : ["4369"] + "Trusted Computer Base Privilege" : ["1607"] + "Trusted For Delegation' - Disabled" : ["2061"] + "Trusted For Delegation' - Enabled" : ["2093"] + "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] + "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] + "Tuesday" : ["1922"] + "Tunnel" : ["16404","8213"] + "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] + "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] + "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] + "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] + "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] + "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] + "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] + "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] + "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] + "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] + "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] + "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] + "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] + "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] + "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] + "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] + "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] + "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] + "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] + "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] + "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] + "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] + "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] + "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] + "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] + "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] + "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] + "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] + "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] + "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] + "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] + "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] + "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] + "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] + "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] + "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] + "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] + "Unknown" : ["8211"] + "Unknown Type" : ["1817"] + "Unknown authentication" : ["8194"] + "Unknown or unchecked" : ["1809"] + "Unknown specific access (bit 0)" : ["1552"] + "Unknown specific access (bit 1)" : ["1553"] + "Unknown specific access (bit 10)" : ["1562"] + "Unknown specific access (bit 11)" : ["1563"] + "Unknown specific access (bit 12)" : ["1564"] + "Unknown specific access (bit 13)" : ["1565"] + "Unknown specific access (bit 14)" : ["1566"] + "Unknown specific access (bit 15)" : ["1567"] + "Unknown specific access (bit 2)" : ["1554"] + "Unknown specific access (bit 3)" : ["1555"] + "Unknown specific access (bit 4)" : ["1556"] + "Unknown specific access (bit 5)" : ["1557"] + "Unknown specific access (bit 6)" : ["1558"] + "Unknown specific access (bit 7)" : ["1559"] + "Unknown specific access (bit 8)" : ["1560"] + "Unknown specific access (bit 9)" : ["1561"] + "Unknown user name or bad password." : ["2313"] + "Unsigned 64-bit Integer" : ["1819"] + "Unsolicited Input Privilege" : ["1606"] + "Unused Access Flag" : ["6663"] + "Unused message ID" : ["1536"] + "Use DES Key Only' - Disabled" : ["2063"] + "Use DES Key Only' - Enabled" : ["2095"] + "Use symbolic link" : ["4544"] + "User / Device Claims" : ["12553"] + "User Account Management" : ["13824"] + "User key." : ["2500"] + "User not allowed to logon at this computer." : ["2312"] + "Validation of public key failed." : ["2450"] + "Value Added" : ["14674"] + "Value Added With Expiration Time" : ["14680"] + "Value Auto Deleted With Expiration Time" : ["14688"] + "Value Deleted" : ["14675"] + "Value Deleted With Expiration Time" : ["14681"] + "View non-sensitive policy information" : ["5632"] + "View or Change Audit Log Privilege" : ["1621"] + "View system audit requirements" : ["5633"] + "WRITE_DAC" : ["1539"] + "WRITE_OWNER" : ["1540"] + "Wednesday" : ["1923"] + "Workstation Trust Account' - Disabled" : ["2055"] + "Workstation Trust Account' - Enabled" : ["2087"] + "Write Property" : ["7685"] + "Write Self" : ["7683"] + "Write attributes" : ["6660"] + "Write objects" : ["6679"] + "Write persisted key to file." : ["2459"] + "Write to process memory" : ["4485"] + "WriteAccount" : ["5409","5445","5428"] + "WriteAttributes" : ["4424"] + "WriteData (or AddFile)" : ["4417"] + "WriteEA" : ["4420"] + "WriteOtherParameters" : ["5395"] + "WritePasswordParameters" : ["5393"] + "WritePreferences" : ["5442"] + "Yes" : ["1842","14678"] + "[NULL]" : ["14673"] + "a Security Descriptor too long to display" : ["1829"] + "an ACE too long to display" : ["1828"] + "vSwitch" : ["14604"] + "vSwitch Egress" : ["14642"] + "vSwitch Ingress" : ["14641"] + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", desc); + } + } + if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx.winlog?.event_data?.AccessList != null) { + ArrayList codes = new ArrayList(); + ArrayList results = new ArrayList(); + for (elem in split(ctx.winlog.event_data.AccessList)) { + def code = elem.replace("%%","").trim(); + if (code != "") { + codes.add(code); + } + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (codes.length > 0) { + ctx.winlog.event_data.AccessList = codes; + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx.winlog?.event_data?.Direction != null) { + def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.LayerName != null) { + def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.AccessMask != null) { + ArrayList list = new ArrayList(); + long accessMask; + for (elem in split(ctx.winlog.event_data.AccessMask)) { + if (elem.length() == 0) { + continue; + } + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + if (params.reversed_descriptions.containsKey(code)) + code = params.reversed_descriptions[code][0]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} + } + if (list.length > 0) { + ctx.winlog.event_data.put("AccessMask", list); + } + + ArrayList desc = new ArrayList(); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((accessMask & flag) == flag) { + w[0] = flag; + def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; + if (fDesc != null) { + desc.add(fDesc); + } + } + } + if (desc.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", desc); + } + ArrayList results = new ArrayList(); + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx.winlog?.event_data?.AccountName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx.winlog?.event_data?.AccountDomain != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-" && + ctx.winlog.event_data.ClientAddress != "Unknown") { + // Correct invalid IP address "LOCAL" + if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { + ctx.winlog.event_data.ClientAddress="127.0.0.1"; + } + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx.winlog?.event_data?.ClientName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx.winlog?.event_data?.LogonID != null) { + if (ctx.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } +# split member name into parts based on comma ignoring escaped commas +# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names + - split: + if: ctx.winlog?.event_data?.MemberName != null + field: winlog.event_data.MemberName + target_field: _temp.MemberNameParts + separator: "(?= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx.winlog?.event_data?.TargetUserSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx.user?.target != null) { + if (ctx.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx.event?.code == null || + !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", + "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", + "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", + "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", + "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", + "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", + "5381", "5382"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx.winlog?.event_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx.winlog?.event_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907", "4797"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.user_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx.winlog?.user_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx.winlog?.user_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx.winlog?.event_data?.ProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx.winlog?.event_data?.WorkstationName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.NewProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx.winlog?.event_data?.NewProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx.winlog?.event_data?.ParentProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && + ctx.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4797", "4798"].contains(ctx.event.code) && + ctx.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + "NO": Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - set: + field: file.name + copy_from: winlog.event_data.RelativeTargetName + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.RelativeTargetName != null && + ctx.winlog.event_data.RelativeTargetName != "" + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.path + value: "{{file.directory}}\\{{file.name}}" + if: ctx.file?.name != null && ctx.file?.directory != null + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.target_path + value: "{{winlog.event_data.ShareName}}\\{{file.name}}" + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareName != null && + ctx.winlog.event_data.ShareName != "" && + ctx.file?.name != null + - script: + description: Adds file information. + lang: painless + if: ctx.file?.name != null + source: |- + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + + #Cleanup _temp fields as it is not needed anymore + - remove: + field: _temp + ignore_missing: true + ignore_failure: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 03ed45832bb2..efec7a6246df 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -5,7 +5,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - script: description: Remove all empty values from event_data. lang: painless