From 058f4bd72a133c1b6c24fbb50df490fb00993ad3 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 5 Mar 2025 07:28:30 +1030 Subject: [PATCH 01/12] x-pack/filebeat/input/entityanalytics/provider/activedirectory: do not consider computers to be users (#42796) Active Directory classifies computers in the set of users, so (objectClass=user) is not an adequately tight query to only return human users. Adding the (objectCategory=person) condition resolves this. --- CHANGELOG.next.asciidoc | 1 + .../internal/activedirectory/activedirectory.go | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1c532e04cd74..f2f39edd0928 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -229,6 +229,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595] - Fix entityanalytics activedirectory provider full sync use before initialization bug. {pull}42682[42682] - In the `http_endpoint` input, fix the check for a missing HMAC HTTP header. {pull}42756[42756] +- Prevent computer details being returned for user queries by Activedirectory Entity Analytics provider. {issue}11818[11818] {pull}42796[42796] *Heartbeat* diff --git a/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go b/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go index b52af0b699d3..56a7d41060a4 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go +++ b/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go @@ -86,9 +86,9 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, userAttr } // Get users in the directory... - userFilter := "(objectClass=user)" + userFilter := "(&(objectCategory=person)(objectClass=user))" if sinceFmtd != "" { - userFilter = "(&(objectClass=user)(whenChanged>=" + sinceFmtd + "))" + userFilter = "(&(objectCategory=person)(objectClass=user)(whenChanged>=" + sinceFmtd + "))" } usrs, err := search(conn, baseDN, userFilter, userAttrs, pagingSize) if err != nil { @@ -120,7 +120,7 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, userAttr for i, u := range modGrps { modGrps[i] = "(memberOf=" + u + ")" } - query := "(&(objectClass=user)(|" + strings.Join(modGrps, "") + ")" + query := "(&(objectCategory=person)(objectClass=user)(|" + strings.Join(modGrps, "") + ")" usrs, err := search(conn, baseDN, query, userAttrs, pagingSize) if err != nil { errs = append(errs, fmt.Errorf("failed to collect users of changed groups%w: %w", ErrUsers, err)) From 2050421ad389460eb5eef773dc785dbf537af496 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 4 Mar 2025 23:01:23 +0100 Subject: [PATCH 02/12] [main](backport #42976) docs: Prepare Changelog for 8.16.5 (#43005) * docs: Prepare Changelog for 8.16.5 (#42976) * docs: Close changelog for 8.16.5 * Remove empty sections from CHANGELOG.asciidoc --------- Co-authored-by: elasticmachine Co-authored-by: Pierre HILBERT (cherry picked from commit a2167aacc6cbb34271206b94f841bcbcf1b2249e) # Conflicts: # CHANGELOG.asciidoc # libbeat/docs/release.asciidoc * Fixing conflict * Resolve merge conflict in release notes. --------- Co-authored-by: elastic-vault-github-plugin-prod[bot] <150874479+elastic-vault-github-plugin-prod[bot]@users.noreply.github.com> Co-authored-by: Pierre HILBERT --- CHANGELOG.asciidoc | 29 +++++++++++++++++++++++++++++ CHANGELOG.next.asciidoc | 9 +++------ libbeat/docs/release.asciidoc | 1 + 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index f4c0602e836e..7a24a85ecee6 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -180,6 +180,35 @@ https://github.com/elastic/beats/compare/v8.16.1\...v8.17.0[View commits] - Implement exclusion range support for event_id. {issue}38623[38623] {pull}41639[41639] +[[release-notes-8.16.5]] +=== Beats version 8.16.5 +https://github.com/elastic/beats/compare/v8.16.4\...v8.16.5[View commits] + +==== Bugfixes + +*Filebeat* + +- [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595] + +*Winlogbeat* + +- Sync missing changes in modules pipelines. {pull}42619[42619] + +==== Added + +*Affecting all Beats* + +- Update Go version to 1.22.12. {pull}42681[42681] + +*Filebeat* + +- Introduce ignore older and start timestamp filters for AWS S3 input. {pull}41804[41804] + +*Metricbeat* + +- Log every 401 response from Kubernetes API Server. {pull}42714[42714] + + [[release-notes-8.16.4]] === Beats version 8.16.4 https://github.com/elastic/beats/compare/v8.16.3\...v8.16.4[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f2f39edd0928..18e80d03e045 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -248,18 +248,12 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Fix issue where beats may report incorrect metrics for its own process when running inside a container {pull}39627[39627] - Normalize AWS RDS CPU Utilization values before making the metadata API call. {pull}39664[39664] - Fix behavior of pagetypeinfo metrics {pull}39985[39985] -- Fix query logic for temp and non-temp tablespaces in Oracle module. {issue}38051[38051] {pull}39787[39787] -- Set GCP metrics config period to the default (60s) when the value is below the minimum allowed period. {issue}30434[30434] {pull}40020[40020] -- Fix statistic methods for metrics collected for SQS. {pull}40207[40207] -- Add GCP 'instance_id' resource label in ECS cloud fields. {issue}40033[40033] {pull}40062[40062] -- Fix missing metrics from CloudWatch when include_linked_accounts set to false. {issue}40071[40071] {pull}40135[40135] - Update beat module with apm-server monitoring metrics fields {pull}40127[40127] - Fix Azure Monitor metric timespan to restore Storage Account PT1H metrics {issue}40376[40376] {pull}40367[40367] - Remove excessive info-level logs in cgroups setup {pull}40491[40491] - Add missing ECS Cloud fields in GCP `metrics` metricset when using `exclude_labels: true` {issue}40437[40437] {pull}40467[40467] - Add AWS OwningAccount support for cross account monitoring {issue}40570[40570] {pull}40691[40691] - Use namespace for GetListMetrics when exists in AWS {pull}41022[41022] -- Fix http server helper SSL config. {pull}39405[39405] - Fix Kubernetes metadata sometimes not being present after startup {pull}41216[41216] - Do not report non-existant 0 values for RSS metrics in docker/memory {pull}41449[41449] - Log Cisco Meraki `getDevicePerformanceScores` errors without stopping metrics collection. {pull}41622[41622] @@ -583,6 +577,9 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] + + + diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index e5c331a6c3da..456b2418878f 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -11,6 +11,7 @@ upgrade. * <> * <> * <> +* <> * <> * <> * <> From 1854bba7917e63d9cf5c150d80b73dbe0f82b1bc Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 5 Mar 2025 12:28:09 +0100 Subject: [PATCH 03/12] Skip test case for sequoia (#42996) --- .../filebeat/input/unifiedlogs/input_test.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/input/unifiedlogs/input_test.go b/x-pack/filebeat/input/unifiedlogs/input_test.go index 7046b847ee27..b5c3d92fe718 100644 --- a/x-pack/filebeat/input/unifiedlogs/input_test.go +++ b/x-pack/filebeat/input/unifiedlogs/input_test.go @@ -58,6 +58,7 @@ func TestInput(t *testing.T) { testCases := []struct { name string + skip func(*testing.T) bool cfg config timeUntilClose time.Duration assertFunc func(collect *assert.CollectT, events []beat.Event, cursors []*time.Time) @@ -139,6 +140,19 @@ func TestInput(t *testing.T) { }, { name: "With end date", + skip: func(t *testing.T) bool { + const sequoiaPrefix = "15." + version, err := exec.Command("sw_vers", "-productVersion").CombinedOutput() + if err != nil { + t.Fatalf("failed to get macOS version: %v", err) + return true + } + if strings.HasPrefix(strings.TrimSpace(string(version)), sequoiaPrefix) { + t.Skip("macOS 15.x does not support the --end flag correctly") + return true + } + return false + }, cfg: config{ ShowConfig: showConfig{ ArchiveFile: archivePath, @@ -147,7 +161,7 @@ func TestInput(t *testing.T) { }, timeUntilClose: time.Second, expectedLogShowCmd: fmt.Sprintf("/usr/bin/log show --style ndjson --archive %s --end 2024-12-04 13:46:00+0200", archivePath), - assertFunc: eventsAndCursorAssertN(462), + assertFunc: eventsAndCursorAssertN(149), }, { name: "With predicate", @@ -204,6 +218,9 @@ func TestInput(t *testing.T) { for _, tc := range testCases { tc := tc t.Run(tc.name, func(t *testing.T) { + if tc.skip != nil && tc.skip(t) { + return + } _, cursorInput := newCursorInput(tc.cfg) input := cursorInput.(*input) From 7237209ca708ecd04ceb950348a66806ce35a6f0 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 5 Mar 2025 12:49:35 +0100 Subject: [PATCH 04/12] Fix boolean key in security pipelines and sync pipelines with integration. (#43027) --- CHANGELOG.next.asciidoc | 1 + .../module/powershell/ingest/powershell.yml | 2 +- .../ingest/powershell_operational.yml | 2 +- .../module/routing/ingest/routing.yml | 36 +- .../module/security/ingest/security.yml | 4221 +--------------- .../security/ingest/security_standard.yml | 4248 +++++++++++++++++ .../module/sysmon/ingest/sysmon.yml | 2 +- 7 files changed, 4315 insertions(+), 4197 deletions(-) create mode 100644 x-pack/winlogbeat/module/security/ingest/security_standard.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 18e80d03e045..c4f85fbbadc2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -282,6 +282,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Sync missing changes in modules pipelines. {pull}42619[42619] - Reset EventLog if error EOF is encountered. {pull}42826[42826] - Implement backoff on error retrial. {pull}42826[42826] +- Fix boolean key in security pipelines and sync pipelines with integration. {pull}43027[43027] *Elastic Logging Plugin* diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml index d14a9e25aa32..7cde92f7cb04 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml @@ -46,7 +46,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml index 206d25db3de8..a514f85b5fb7 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml @@ -26,7 +26,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml index 9c00e19e1603..945408bed4c8 100644 --- a/x-pack/winlogbeat/module/routing/ingest/routing.yml +++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml @@ -16,6 +16,7 @@ processors: - pipeline: name: '{< IngestPipeline "powershell_operational" >}' if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-powershell/operational' + - set: field: host.os.type value: windows @@ -25,8 +26,39 @@ processors: value: windows override: false + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + - convert: + field: error.code + type: string + ignore_missing: true + on_failure: - set: + field: event.kind + value: pipeline_error + - append: field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index 55687df728cb..ccbb522879ef 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for Windows Security events +description: Pipeline for Security events processors: - set: field: event.module @@ -8,3793 +8,34 @@ processors: field: event.code type: string ignore_missing: true - - script: - lang: painless - ignore_failure: false - tag: Set ECS categorization fields - description: Set ECS categorization fields - params: - "1100": - category: - - process - type: - - end - action: logging-service-shutdown - "1102": - category: - - iam - type: - - admin - - change - action: audit-log-cleared - "1104": - category: - - iam - type: - - admin - action: logging-full - "1105": - category: - - iam - type: - - admin - action: auditlog-archieved - "1108": - category: - - iam - type: - - admin - action: logging-processing-error - "4610": - category: - - configuration - type: - - access - action: authentication-package-loaded - "4611": - category: - - configuration - type: - - change - action: trusted-logon-process-registered - "4614": - category: - - configuration - type: - - access - action: notification-package-loaded - "4616": - category: - - configuration - type: - - change - action: system-time-changed - "4622": - category: - - configuration - type: - - access - action: security-package-loaded - "4624": - category: - - authentication - type: - - start - action: logged-in - "4625": - category: - - authentication - type: - - start - action: logon-failed - "4634": - category: - - authentication - type: - - end - action: logged-out - "4647": - category: - - authentication - type: - - end - action: logged-out - "4648": - category: - - authentication - type: - - start - action: logged-in-explicit - "4657": - category: - - registry - - configuration - type: - - change - action: registry-value-modified - "4662": - category: - - iam - - configuration - type: - - admin - - change - action: object-operation-performed - "4670": - category: - - iam - - configuration - type: - - admin - - change - action: permissions-changed - "4672": - category: - - iam - type: - - admin - action: logged-in-special - "4673": - category: - - iam - type: - - admin - action: privileged-service-called - "4674": - category: - - iam - type: - - admin - action: privileged-operation - "4688": - category: - - process - type: - - start - action: created-process - "4689": - category: - - process - type: - - end - action: exited-process - "4697": - category: - - iam - - configuration - type: - - admin - - change - action: service-installed - "4698": - category: - - iam - - configuration - type: - - creation - - admin - action: scheduled-task-created - "4699": - category: - - iam - - configuration - type: - - deletion - - admin - action: scheduled-task-deleted - "4700": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-enabled - "4701": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-disabled - "4702": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-updated - "4706": - category: - - configuration - type: - - creation - action: domain-trust-added - "4707": - category: - - configuration - type: - - deletion - action: domain-trust-removed - "4713": - category: - - configuration - type: - - change - action: kerberos-policy-changed - "4714": - category: - - configuration - type: - - change - action: encrypted-data-recovery-policy-changed - "4715": - category: - - configuration - type: - - change - action: object-audit-policy-changed - "4716": - category: - - configuration - type: - - change - action: trusted-domain-information-changed - "4717": - category: - - iam - - configuration - type: - - admin - - change - action: system-security-access-granted - "4718": - category: - - iam - - configuration - type: - - admin - - deletion - action: system-security-access-removed - "4719": - category: - - iam - - configuration - type: - - admin - - change - action: changed-audit-config - "4720": - category: - - iam - type: - - user - - creation - action: added-user-account - "4722": - category: - - iam - type: - - user - - change - action: enabled-user-account - "4723": - category: - - iam - type: - - user - - change - action: changed-password - "4724": - category: - - iam - type: - - user - - change - action: reset-password - "4725": - category: - - iam - type: - - user - - deletion - action: disabled-user-account - "4726": - category: - - iam - type: - - user - - deletion - action: deleted-user-account - "4727": - category: - - iam - type: - - group - - creation - action: added-group-account - "4728": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4729": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4730": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4731": - category: - - iam - type: - - group - - creation - action: added-group-account - "4732": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4733": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4734": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4735": - category: - - iam - type: - - group - - change - action: modified-group-account - "4737": - category: - - iam - type: - - group - - change - action: modified-group-account - "4738": - category: - - iam - type: - - user - - change - action: modified-user-account - "4739": - category: - - configuration - type: - - change - action: domain-policy-changed - "4740": - category: - - iam - type: - - user - - change - action: locked-out-user-account - "4741": - category: - - iam - type: - - creation - - admin - action: added-computer-account - "4742": - category: - - iam - type: - - change - - admin - action: changed-computer-account - "4743": - category: - - iam - type: - - deletion - - admin - action: deleted-computer-account - "4744": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4745": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4746": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4747": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4748": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4749": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4750": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4751": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4752": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4753": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4754": - category: - - iam - type: - - group - - creation - action: added-group-account - "4755": - category: - - iam - type: - - group - - change - action: modified-group-account - "4756": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4757": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4758": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4759": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4760": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4761": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4762": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4763": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4764": - category: - - iam - type: - - group - - change - action: type-changed-group-account - "4767": - category: - - iam - type: - - user - - change - action: unlocked-user-account - "4768": - category: - - authentication - type: - - start - action: kerberos-authentication-ticket-requested - "4769": - category: - - authentication - type: - - start - action: kerberos-service-ticket-requested - "4770": - category: - - authentication - type: - - start - action: kerberos-service-ticket-renewed - "4771": - category: - - authentication - type: - - start - action: kerberos-preauth-failed - "4776": - category: - - authentication - type: - - start - action: credential-validated - "4778": - category: - - authentication - - session - type: - - start - action: session-reconnected - "4779": - category: - - authentication - - session - type: - - end - action: session-disconnected - "4781": - category: - - iam - type: - - user - - change - action: renamed-user-account - "4797": - category: - - iam - type: - - user - - info - action: query-existence-of-blank-password - "4798": - category: - - iam - type: - - user - - info - action: group-membership-enumerated - "4799": - category: - - iam - type: - - group - - info - action: user-member-enumerated - "4817": - category: - - iam - - configuration - type: - - admin - - change - action: object-audit-changed - "4902": - category: - - iam - - configuration - type: - - admin - - creation - action: user-audit-policy-created - "4904": - category: - - iam - - configuration - type: - - admin - - change - action: security-event-source-added - "4905": - category: - - iam - - configuration - type: - - admin - - deletion - action: security-event-source-removed - "4906": - category: - - iam - - configuration - type: - - admin - - change - action: crash-on-audit-changed - "4907": - category: - - iam - - configuration - type: - - admin - - change - action: audit-setting-changed - "4908": - category: - - iam - - configuration - type: - - admin - - change - action: special-group-table-changed - "4912": - category: - - iam - - configuration - type: - - admin - - change - action: per-user-audit-policy-changed - "4950": - category: - - configuration - type: - - change - action: windows-firewall-setting-changed - "4954": - category: - - configuration - type: - - change - action: windows-firewall-group-policy-changed - "4964": - category: - - iam - type: - - admin - - group - action: logged-in-special - "5024": - category: - - process - type: - - start - action: windows-firewall-service-started - "5025": - category: - - process - type: - - end - action: windows-firewall-service-stopped - "5033": - category: - - driver - type: - - start - action: windows-firewall-driver-started - "5034": - category: - - driver - type: - - end - action: windows-firewall-driver-stopped - "5037": - category: - - driver - type: - - end - action: windows-firewall-driver-error - "5136": - category: - - iam - - configuration - type: - - admin - - change - action: directory-service-object-modified - "5140": - category: - - network - - file - type: - - info - - access - action: network-share-object-accessed - "5145": - category: - - network - - file - type: - - info - - access - action: network-share-object-access-checked - "5379": - category: - - iam - type: - - user - - info - action: credential-manager-credentials-were-read - "5380": - category: - - iam - type: - - user - - info - action: vault-credential-find - "5381": - category: - - iam - type: - - user - - info - action: vault-credentials-were-read - "5382": - category: - - iam - type: - - user - - info - action: vault-credentials-were-read - source: |- - if (ctx.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - params.get(ctx.event.code).forEach((k, v) -> { - if (v instanceof List) { - ctx.event[k] = new ArrayList(v); - } else { - ctx.event[k] = v; - } - }); - - script: - lang: painless - ignore_failure: false - tag: Set Logon Type - description: Set Logon Type - # Logon Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - params: - "2": Interactive - "3": Network - "4": Batch - "5": Service - "7": Unlock - "8": NetworkCleartext - "9": NewCredentials - "10": RemoteInteractive - "11": CachedInteractive - source: |- - if (ctx.winlog?.event_data?.LogonType == null) { - return; - } - def t = params.get(ctx.winlog.event_data.LogonType); - if (t == null) { - return; - } - if (ctx.winlog?.logon == null ) { - Map map = new HashMap(); - ctx.winlog.put("logon", map); - } - ctx.winlog.logon.put("type", t) - - script: - lang: painless - ignore_failure: false - tag: Set User Account Control - description: Set User Account Control - # User Account Control Attributes Table - # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 - params: - "0x00000001": USER_ACCOUNT_DISABLED - "0x00000002": USER_HOME_DIRECTORY_REQUIRED - "0x00000004": USER_PASSWORD_NOT_REQUIRED - "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT - "0x00000010": USER_NORMAL_ACCOUNT - "0x00000020": USER_MNS_LOGON_ACCOUNT - "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT - "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT - "0x00000100": USER_SERVER_TRUST_ACCOUNT - "0x00000200": USER_DONT_EXPIRE_PASSWORD - "0x00000400": USER_ACCOUNT_AUTO_LOCKED - "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED - "0x00001000": USER_SMARTCARD_REQUIRED - "0x00002000": USER_TRUSTED_FOR_DELEGATION - "0x00004000": USER_NOT_DELEGATED - "0x00008000": USER_USE_DES_KEY_ONLY - "0x00010000": USER_DONT_REQUIRE_PREAUTH - "0x00020000": USER_PASSWORD_EXPIRED - "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - "0x00080000": USER_NO_AUTH_DATA_REQUIRED - "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT - "0x00200000": USER_USE_AES_KEYS - source: |- - if (ctx.winlog?.event_data == null) { - return; - } - if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { - return; - } - Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); - ArrayList uacResult = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { - uacResult.add(entry.getValue()); - } - } - if (uacResult.length == 0) { - return; - } - ctx.winlog.event_data.put("NewUACList", uacResult); - if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { - return; - } - ArrayList uac_array = new ArrayList(); - for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { - def trimmed = elem.replace("%%","").trim(); - if (trimmed.length() > 0) { - uac_array.add(trimmed); - } - } - ctx.winlog.event_data.UserAccountControl = uac_array; - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Options - description: Set Kerberos Ticket Options - # Kerberos TGT and TGS Ticket Options - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - params: - "0x40000000": Forwardable - "0x20000000": Forwarded - "0x10000000": Proxiable - "0x08000000": Proxy - "0x04000000": Allow-postdate - "0x02000000": Postdated - "0x01000000": Invalid - "0x00800000": Renewable - "0x00400000": Initial - "0x00200000": Pre-authent - "0x00100000": Opt-hardware-auth - "0x00080000": Transited-policy-checked - "0x00040000": Ok-as-delegate - "0x00020000": Request-anonymous - "0x00010000": Name-canonicalize - "0x00000020": Disable-transited-check - "0x00000010": Renewable-ok - "0x00000008": Enc-tkt-in-skey - "0x00000002": Renew - "0x00000001": Validate - source: |- - if (ctx.winlog?.event_data?.TicketOptions == null) { - return; - } - Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); - ArrayList tDescs = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { - tDescs.add(entry.getValue()); - } - } - if (tDescs.length == 0) { - return; - } - ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Encryption Types - description: Set Kerberos Encryption Types - # Kerberos Encryption Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - params: - "0x1": DES-CBC-CRC - "0x3": DES-CBC-MD5 - "0x11": AES128-CTS-HMAC-SHA1-96 - "0x12": AES256-CTS-HMAC-SHA1-96 - "0x17": RC4-HMAC - "0x18": RC4-HMAC-EXP - "0xffffffff": FAIL - source: |- - if (ctx.winlog?.event_data?.TicketEncryptionType == null) { - return; - } - ctx.winlog.event_data.put("TicketEncryptionTypeDescription", - params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Status Codes - # Kerberos Result Status Codes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - description: Set Kerberos Ticket Status Codes - params: - "0x0": KDC_ERR_NONE - "0x1": KDC_ERR_NAME_EXP - "0x2": KDC_ERR_SERVICE_EXP - "0x3": KDC_ERR_BAD_PVNO - "0x4": KDC_ERR_C_OLD_MAST_KVNO - "0x5": KDC_ERR_S_OLD_MAST_KVNO - "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN - "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN - "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE - "0x9": KDC_ERR_NULL_KEY - "0xA": KDC_ERR_CANNOT_POSTDATE - "0xB": KDC_ERR_NEVER_VALID - "0xC": KDC_ERR_POLICY - "0xD": KDC_ERR_BADOPTION - "0xE": KDC_ERR_ETYPE_NOTSUPP - "0xF": KDC_ERR_SUMTYPE_NOSUPP - "0x10": KDC_ERR_PADATA_TYPE_NOSUPP - "0x11": KDC_ERR_TRTYPE_NO_SUPP - "0x12": KDC_ERR_CLIENT_REVOKED - "0x13": KDC_ERR_SERVICE_REVOKED - "0x14": KDC_ERR_TGT_REVOKED - "0x15": KDC_ERR_CLIENT_NOTYET - "0x16": KDC_ERR_SERVICE_NOTYET - "0x17": KDC_ERR_KEY_EXPIRED - "0x18": KDC_ERR_PREAUTH_FAILED - "0x19": KDC_ERR_PREAUTH_REQUIRED - "0x1A": KDC_ERR_SERVER_NOMATCH - "0x1B": KDC_ERR_MUST_USE_USER2USER - "0x1F": KRB_AP_ERR_BAD_INTEGRITY - "0x20": KRB_AP_ERR_TKT_EXPIRED - "0x21": KRB_AP_ERR_TKT_NYV - "0x22": KRB_AP_ERR_REPEAT - "0x23": KRB_AP_ERR_NOT_US - "0x24": KRB_AP_ERR_BADMATCH - "0x25": KRB_AP_ERR_SKEW - "0x26": KRB_AP_ERR_BADADDR - "0x27": KRB_AP_ERR_BADVERSION - "0x28": KRB_AP_ERR_MSG_TYPE - "0x29": KRB_AP_ERR_MODIFIED - "0x2A": KRB_AP_ERR_BADORDER - "0x2C": KRB_AP_ERR_BADKEYVER - "0x2D": KRB_AP_ERR_NOKEY - "0x2E": KRB_AP_ERR_MUT_FAIL - "0x2F": KRB_AP_ERR_BADDIRECTION - "0x30": KRB_AP_ERR_METHOD - "0x31": KRB_AP_ERR_BADSEQ - "0x32": KRB_AP_ERR_INAPP_CKSUM - "0x33": KRB_AP_PATH_NOT_ACCEPTED - "0x34": KRB_ERR_RESPONSE_TOO_BIG - "0x3C": KRB_ERR_GENERIC - "0x3D": KRB_ERR_FIELD_TOOLONG - "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED - "0x3F": KDC_ERR_KDC_NOT_TRUSTED - "0x40": KDC_ERR_INVALID_SIG - "0x41": KDC_ERR_KEY_TOO_WEAK - "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED - "0x43": KRB_AP_ERR_NO_TGT - "0x44": KDC_ERR_WRONG_REALM - source: |- - if (ctx.winlog?.event_data?.Status == null || - ctx.event?.code == null || - !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { - return; - } - ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); - - script: - lang: painless - ignore_failure: false - tag: Set Service Type and Name - description: Set Service Type and Name - # Services Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - params: - "0x1": Kernel Driver - "0x2": File System Driver - "0x8": Recognizer Driver - "0x10": Win32 Own Process - "0x20": Win32 Share Process - "0x110": Interactive Own Process - "0x120": Interactive Share Process - source: |- - if (ctx.winlog?.event_data?.ServiceName != null) { - if (ctx.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("name", ctx.winlog.event_data.ServiceName); - } - if (ctx.winlog.event_data?.ServiceType != null) { - if (ctx.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); - } - - script: - lang: painless - ignore_failure: false - tag: Set Audit Information - description: Set Audit Information - params: - "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] - "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] - "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] - "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] - "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] - "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] - "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] - "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] - "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] - "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] - "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] - "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] - "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] - "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] - "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] - "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] - "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] - "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] - "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] - "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] - "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] - "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] - "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] - "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] - "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] - "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] - "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] - "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] - "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] - "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] - "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] - "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] - "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] - "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] - "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] - "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] - "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] - "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] - "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] - "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] - "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] - "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] - "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] - "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] - "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] - "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] - "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] - "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] - "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] - "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] - "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] - "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] - "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] - "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] - "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] - "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] - "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] - source: |- - if (ctx.winlog?.event_data?.SubcategoryGuid == null) { - return; - } - def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); - if (!params.containsKey(subCatGuid)) { - return; - } - ctx.winlog.event_data.put("Category", params[subCatGuid][1]); - ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); - - script: - lang: painless - ignore_failure: false - tag: Decode message table - description: Decode message table - # Message table extracted from msobjs.dll on Windows 2019. - # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - descriptions: - "279": "Undefined Access (no effect) Bit 7" - "1536": "Unused message ID" - "1537": "DELETE" - "1538": "READ_CONTROL" - "1539": "WRITE_DAC" - "1540": "WRITE_OWNER" - "1541": "SYNCHRONIZE" - "1542": "ACCESS_SYS_SEC" - "1543": "MAX_ALLOWED" - "1552": "Unknown specific access (bit 0)" - "1553": "Unknown specific access (bit 1)" - "1554": "Unknown specific access (bit 2)" - "1555": "Unknown specific access (bit 3)" - "1556": "Unknown specific access (bit 4)" - "1557": "Unknown specific access (bit 5)" - "1558": "Unknown specific access (bit 6)" - "1559": "Unknown specific access (bit 7)" - "1560": "Unknown specific access (bit 8)" - "1561": "Unknown specific access (bit 9)" - "1562": "Unknown specific access (bit 10)" - "1563": "Unknown specific access (bit 11)" - "1564": "Unknown specific access (bit 12)" - "1565": "Unknown specific access (bit 13)" - "1566": "Unknown specific access (bit 14)" - "1567": "Unknown specific access (bit 15)" - "1601": "Not used" - "1603": "Assign Primary Token Privilege" - "1604": "Lock Memory Privilege" - "1605": "Increase Memory Quota Privilege" - "1606": "Unsolicited Input Privilege" - "1607": "Trusted Computer Base Privilege" - "1608": "Security Privilege" - "1609": "Take Ownership Privilege" - "1610": "Load/Unload Driver Privilege" - "1611": "Profile System Privilege" - "1612": "Set System Time Privilege" - "1613": "Profile Single Process Privilege" - "1614": "Increment Base Priority Privilege" - "1615": "Create Pagefile Privilege" - "1616": "Create Permanent Object Privilege" - "1617": "Backup Privilege" - "1618": "Restore From Backup Privilege" - "1619": "Shutdown System Privilege" - "1620": "Debug Privilege" - "1621": "View or Change Audit Log Privilege" - "1622": "Change Hardware Environment Privilege" - "1623": "Change Notify (and Traverse) Privilege" - "1624": "Remotely Shut System Down Privilege" - "1792": "" - "1794": "" - "1795": "Enabled" - "1796": "Disabled" - "1797": "All" - "1798": "None" - "1799": "Audit Policy query/set API Operation" - "1800": "" - "1801": "Granted by" - "1802": "Denied by" - "1803": "Denied by Integrity Policy check" - "1804": "Granted by Ownership" - "1805": "Not granted" - "1806": "Granted by NULL DACL" - "1807": "Denied by Empty DACL" - "1808": "Granted by NULL Security Descriptor" - "1809": "Unknown or unchecked" - "1810": "Not granted due to missing" - "1811": "Granted by ACE on parent folder" - "1812": "Denied by ACE on parent folder" - "1813": "Granted by Central Access Rule" - "1814": "NOT Granted by Central Access Rule" - "1815": "Granted by parent folder's Central Access Rule" - "1816": "NOT Granted by parent folder's Central Access Rule" - "1817": "Unknown Type" - "1818": "String" - "1819": "Unsigned 64-bit Integer" - "1820": "64-bit Integer" - "1821": "FQBN" - "1822": "Blob" - "1823": "Sid" - "1824": "Boolean" - "1825": "TRUE" - "1826": "FALSE" - "1827": "Invalid" - "1828": "an ACE too long to display" - "1829": "a Security Descriptor too long to display" - "1830": "Not granted to AppContainers" - "1831": "..." - "1832": "Identification" - "1833": "Impersonation" - "1840": "Delegation" - "1841": "Denied by Process Trust Label ACE" - "1842": "Yes" - "1843": "No" - "1844": "System" - "1845": "Not Available" - "1846": "Default" - "1847": "DisallowMmConfig" - "1848": "Off" - "1849": "Auto" - "1872": "REG_NONE" - "1873": "REG_SZ" - "1874": "REG_EXPAND_SZ" - "1875": "REG_BINARY" - "1876": "REG_DWORD" - "1877": "REG_DWORD_BIG_ENDIAN" - "1878": "REG_LINK" - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" - "1880": "REG_RESOURCE_LIST" - "1881": "REG_FULL_RESOURCE_DESCRIPTOR" - "1882": "REG_RESOURCE_REQUIREMENTS_LIST" - "1883": "REG_QWORD" - "1904": "New registry value created" - "1905": "Existing registry value modified" - "1906": "Registry value deleted" - "1920": "Sunday" - "1921": "Monday" - "1922": "Tuesday" - "1923": "Wednesday" - "1924": "Thursday" - "1925": "Friday" - "1926": "Saturday" - "1936": "TokenElevationTypeDefault (1)" - "1937": "TokenElevationTypeFull (2)" - "1938": "TokenElevationTypeLimited (3)" - "2048": "Account Enabled" - "2049": "Home Directory Required' - Disabled" - "2050": "Password Not Required' - Disabled" - "2051": "Temp Duplicate Account' - Disabled" - "2052": "Normal Account' - Disabled" - "2053": "MNS Logon Account' - Disabled" - "2054": "Interdomain Trust Account' - Disabled" - "2055": "Workstation Trust Account' - Disabled" - "2056": "Server Trust Account' - Disabled" - "2057": "Don't Expire Password' - Disabled" - "2058": "Account Unlocked" - "2059": "Encrypted Text Password Allowed' - Disabled" - "2060": "Smartcard Required' - Disabled" - "2061": "Trusted For Delegation' - Disabled" - "2062": "Not Delegated' - Disabled" - "2063": "Use DES Key Only' - Disabled" - "2064": "Don't Require Preauth' - Disabled" - "2065": "Password Expired' - Disabled" - "2066": "Trusted To Authenticate For Delegation' - Disabled" - "2067": "Exclude Authorization Information' - Disabled" - "2068": "Undefined UserAccountControl Bit 20' - Disabled" - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" - "2070": "Undefined UserAccountControl Bit 22' - Disabled" - "2071": "Undefined UserAccountControl Bit 23' - Disabled" - "2072": "Undefined UserAccountControl Bit 24' - Disabled" - "2073": "Undefined UserAccountControl Bit 25' - Disabled" - "2074": "Undefined UserAccountControl Bit 26' - Disabled" - "2075": "Undefined UserAccountControl Bit 27' - Disabled" - "2076": "Undefined UserAccountControl Bit 28' - Disabled" - "2077": "Undefined UserAccountControl Bit 29' - Disabled" - "2078": "Undefined UserAccountControl Bit 30' - Disabled" - "2079": "Undefined UserAccountControl Bit 31' - Disabled" - "2080": "Account Disabled" - "2081": "Home Directory Required' - Enabled" - "2082": "Password Not Required' - Enabled" - "2083": "Temp Duplicate Account' - Enabled" - "2084": "Normal Account' - Enabled" - "2085": "MNS Logon Account' - Enabled" - "2086": "Interdomain Trust Account' - Enabled" - "2087": "Workstation Trust Account' - Enabled" - "2088": "Server Trust Account' - Enabled" - "2089": "Don't Expire Password' - Enabled" - "2090": "Account Locked" - "2091": "Encrypted Text Password Allowed' - Enabled" - "2092": "Smartcard Required' - Enabled" - "2093": "Trusted For Delegation' - Enabled" - "2094": "Not Delegated' - Enabled" - "2095": "Use DES Key Only' - Enabled" - "2096": "Don't Require Preauth' - Enabled" - "2097": "Password Expired' - Enabled" - "2098": "Trusted To Authenticate For Delegation' - Enabled" - "2099": "Exclude Authorization Information' - Enabled" - "2100": "Undefined UserAccountControl Bit 20' - Enabled" - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" - "2102": "Undefined UserAccountControl Bit 22' - Enabled" - "2103": "Undefined UserAccountControl Bit 23' - Enabled" - "2104": "Undefined UserAccountControl Bit 24' - Enabled" - "2105": "Undefined UserAccountControl Bit 25' - Enabled" - "2106": "Undefined UserAccountControl Bit 26' - Enabled" - "2107": "Undefined UserAccountControl Bit 27' - Enabled" - "2108": "Undefined UserAccountControl Bit 28' - Enabled" - "2109": "Undefined UserAccountControl Bit 29' - Enabled" - "2110": "Undefined UserAccountControl Bit 30' - Enabled" - "2111": "Undefined UserAccountControl Bit 31' - Enabled" - "2304": "An Error occured during Logon." - "2305": "The specified user account has expired." - "2306": "The NetLogon component is not active." - "2307": "Account locked out." - "2308": "The user has not been granted the requested logon type at this machine." - "2309": "The specified account's password has expired." - "2310": "Account currently disabled." - "2311": "Account logon time restriction violation." - "2312": "User not allowed to logon at this computer." - "2313": "Unknown user name or bad password." - "2314": "Domain sid inconsistent." - "2315": "Smartcard logon is required and was not used." - "2432": "Not Available." - "2436": "Random number generator failure." - "2437": "Random number generation failed FIPS-140 pre-hash check." - "2438": "Failed to zero secret data." - "2439": "Key failed pair wise consistency check." - "2448": "Failed to unprotect persistent cryptographic key." - "2449": "Key export checks failed." - "2450": "Validation of public key failed." - "2451": "Signature verification failed." - "2456": "Open key file." - "2457": "Delete key file." - "2458": "Read persisted key from file." - "2459": "Write persisted key to file." - "2464": "Export of persistent cryptographic key." - "2465": "Import of persistent cryptographic key." - "2480": "Open Key." - "2481": "Create Key." - "2482": "Delete Key." - "2483": "Encrypt." - "2484": "Decrypt." - "2485": "Sign hash." - "2486": "Secret agreement." - "2487": "Domain settings" - "2488": "Local settings" - "2489": "Add provider." - "2490": "Remove provider." - "2491": "Add context." - "2492": "Remove context." - "2493": "Add function." - "2494": "Remove function." - "2495": "Add function provider." - "2496": "Remove function provider." - "2497": "Add function property." - "2498": "Remove function property." - "2499": "Machine key." - "2500": "User key." - "2501": "Key Derivation." - "4352": "Device Access Bit 0" - "4353": "Device Access Bit 1" - "4354": "Device Access Bit 2" - "4355": "Device Access Bit 3" - "4356": "Device Access Bit 4" - "4357": "Device Access Bit 5" - "4358": "Device Access Bit 6" - "4359": "Device Access Bit 7" - "4360": "Device Access Bit 8" - "4361": "Undefined Access (no effect) Bit 9" - "4362": "Undefined Access (no effect) Bit 10" - "4363": "Undefined Access (no effect) Bit 11" - "4364": "Undefined Access (no effect) Bit 12" - "4365": "Undefined Access (no effect) Bit 13" - "4366": "Undefined Access (no effect) Bit 14" - "4367": "Undefined Access (no effect) Bit 15" - "4368": "Query directory" - "4369": "Traverse" - "4370": "Create object in directory" - "4371": "Create sub-directory" - "4372": "Undefined Access (no effect) Bit 4" - "4373": "Undefined Access (no effect) Bit 5" - "4374": "Undefined Access (no effect) Bit 6" - "4375": "Undefined Access (no effect) Bit 7" - "4376": "Undefined Access (no effect) Bit 8" - "4377": "Undefined Access (no effect) Bit 9" - "4378": "Undefined Access (no effect) Bit 10" - "4379": "Undefined Access (no effect) Bit 11" - "4380": "Undefined Access (no effect) Bit 12" - "4381": "Undefined Access (no effect) Bit 13" - "4382": "Undefined Access (no effect) Bit 14" - "4383": "Undefined Access (no effect) Bit 15" - "4384": "Query event state" - "4385": "Modify event state" - "4386": "Undefined Access (no effect) Bit 2" - "4387": "Undefined Access (no effect) Bit 3" - "4388": "Undefined Access (no effect) Bit 4" - "4389": "Undefined Access (no effect) Bit 5" - "4390": "Undefined Access (no effect) Bit 6" - "4391": "Undefined Access (no effect) Bit 7" - "4392": "Undefined Access (no effect) Bit 8" - "4393": "Undefined Access (no effect) Bit 9" - "4394": "Undefined Access (no effect) Bit 10" - "4395": "Undefined Access (no effect) Bit 11" - "4396": "Undefined Access (no effect) Bit 12" - "4397": "Undefined Access (no effect) Bit 13" - "4398": "Undefined Access (no effect) Bit 14" - "4399": "Undefined Access (no effect) Bit 15" - "4416": "ReadData (or ListDirectory)" - "4417": "WriteData (or AddFile)" - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" - "4419": "ReadEA" - "4420": "WriteEA" - "4421": "Execute/Traverse" - "4422": "DeleteChild" - "4423": "ReadAttributes" - "4424": "WriteAttributes" - "4425": "Undefined Access (no effect) Bit 9" - "4426": "Undefined Access (no effect) Bit 10" - "4427": "Undefined Access (no effect) Bit 11" - "4428": "Undefined Access (no effect) Bit 12" - "4429": "Undefined Access (no effect) Bit 13" - "4430": "Undefined Access (no effect) Bit 14" - "4431": "Undefined Access (no effect) Bit 15" - "4432": "Query key value" - "4433": "Set key value" - "4434": "Create sub-key" - "4435": "Enumerate sub-keys" - "4436": "Notify about changes to keys" - "4437": "Create Link" - "4438": "Undefined Access (no effect) Bit 6" - "4439": "Undefined Access (no effect) Bit 7" - "4440": "Enable 64(or 32) bit application to open 64 bit key" - "4441": "Enable 64(or 32) bit application to open 32 bit key" - "4442": "Undefined Access (no effect) Bit 10" - "4443": "Undefined Access (no effect) Bit 11" - "4444": "Undefined Access (no effect) Bit 12" - "4445": "Undefined Access (no effect) Bit 13" - "4446": "Undefined Access (no effect) Bit 14" - "4447": "Undefined Access (no effect) Bit 15" - "4448": "Query mutant state" - "4449": "Undefined Access (no effect) Bit 1" - "4450": "Undefined Access (no effect) Bit 2" - "4451": "Undefined Access (no effect) Bit 3" - "4452": "Undefined Access (no effect) Bit 4" - "4453": "Undefined Access (no effect) Bit 5" - "4454": "Undefined Access (no effect) Bit 6" - "4455": "Undefined Access (no effect) Bit 7" - "4456": "Undefined Access (no effect) Bit 8" - "4457": "Undefined Access (no effect) Bit 9" - "4458": "Undefined Access (no effect) Bit 10" - "4459": "Undefined Access (no effect) Bit 11" - "4460": "Undefined Access (no effect) Bit 12" - "4461": "Undefined Access (no effect) Bit 13" - "4462": "Undefined Access (no effect) Bit 14" - "4463": "Undefined Access (no effect) Bit 15" - "4464": "Communicate using port" - "4465": "Undefined Access (no effect) Bit 1" - "4466": "Undefined Access (no effect) Bit 2" - "4467": "Undefined Access (no effect) Bit 3" - "4468": "Undefined Access (no effect) Bit 4" - "4469": "Undefined Access (no effect) Bit 5" - "4470": "Undefined Access (no effect) Bit 6" - "4471": "Undefined Access (no effect) Bit 7" - "4472": "Undefined Access (no effect) Bit 8" - "4473": "Undefined Access (no effect) Bit 9" - "4474": "Undefined Access (no effect) Bit 10" - "4475": "Undefined Access (no effect) Bit 11" - "4476": "Undefined Access (no effect) Bit 12" - "4477": "Undefined Access (no effect) Bit 13" - "4478": "Undefined Access (no effect) Bit 14" - "4479": "Undefined Access (no effect) Bit 15" - "4480": "Force process termination" - "4481": "Create new thread in process" - "4482": "Set process session ID" - "4483": "Perform virtual memory operation" - "4484": "Read from process memory" - "4485": "Write to process memory" - "4486": "Duplicate handle into or out of process" - "4487": "Create a subprocess of process" - "4488": "Set process quotas" - "4489": "Set process information" - "4490": "Query process information" - "4491": "Set process termination port" - "4492": "Undefined Access (no effect) Bit 12" - "4493": "Undefined Access (no effect) Bit 13" - "4494": "Undefined Access (no effect) Bit 14" - "4495": "Undefined Access (no effect) Bit 15" - "4496": "Control profile" - "4497": "Undefined Access (no effect) Bit 1" - "4498": "Undefined Access (no effect) Bit 2" - "4499": "Undefined Access (no effect) Bit 3" - "4500": "Undefined Access (no effect) Bit 4" - "4501": "Undefined Access (no effect) Bit 5" - "4502": "Undefined Access (no effect) Bit 6" - "4503": "Undefined Access (no effect) Bit 7" - "4504": "Undefined Access (no effect) Bit 8" - "4505": "Undefined Access (no effect) Bit 9" - "4506": "Undefined Access (no effect) Bit 10" - "4507": "Undefined Access (no effect) Bit 11" - "4508": "Undefined Access (no effect) Bit 12" - "4509": "Undefined Access (no effect) Bit 13" - "4510": "Undefined Access (no effect) Bit 14" - "4511": "Undefined Access (no effect) Bit 15" - "4512": "Query section state" - "4513": "Map section for write" - "4514": "Map section for read" - "4515": "Map section for execute" - "4516": "Extend size" - "4517": "Undefined Access (no effect) Bit 5" - "4518": "Undefined Access (no effect) Bit 6" - "4519": "Undefined Access (no effect) Bit 7" - "4520": "Undefined Access (no effect) Bit 8" - "4521": "Undefined Access (no effect) Bit 9" - "4522": "Undefined Access (no effect) Bit 10" - "4523": "Undefined Access (no effect) Bit 11" - "4524": "Undefined Access (no effect) Bit 12" - "4525": "Undefined Access (no effect) Bit 13" - "4526": "Undefined Access (no effect) Bit 14" - "4527": "Undefined Access (no effect) Bit 15" - "4528": "Query semaphore state" - "4529": "Modify semaphore state" - "4530": "Undefined Access (no effect) Bit 2" - "4531": "Undefined Access (no effect) Bit 3" - "4532": "Undefined Access (no effect) Bit 4" - "4533": "Undefined Access (no effect) Bit 5" - "4534": "Undefined Access (no effect) Bit 6" - "4535": "Undefined Access (no effect) Bit 7" - "4536": "Undefined Access (no effect) Bit 8" - "4537": "Undefined Access (no effect) Bit 9" - "4538": "Undefined Access (no effect) Bit 10" - "4539": "Undefined Access (no effect) Bit 11" - "4540": "Undefined Access (no effect) Bit 12" - "4541": "Undefined Access (no effect) Bit 13" - "4542": "Undefined Access (no effect) Bit 14" - "4543": "Undefined Access (no effect) Bit 15" - "4544": "Use symbolic link" - "4545": "Undefined Access (no effect) Bit 1" - "4546": "Undefined Access (no effect) Bit 2" - "4547": "Undefined Access (no effect) Bit 3" - "4548": "Undefined Access (no effect) Bit 4" - "4549": "Undefined Access (no effect) Bit 5" - "4550": "Undefined Access (no effect) Bit 6" - "4551": "Undefined Access (no effect) Bit 7" - "4552": "Undefined Access (no effect) Bit 8" - "4553": "Undefined Access (no effect) Bit 9" - "4554": "Undefined Access (no effect) Bit 10" - "4555": "Undefined Access (no effect) Bit 11" - "4556": "Undefined Access (no effect) Bit 12" - "4557": "Undefined Access (no effect) Bit 13" - "4558": "Undefined Access (no effect) Bit 14" - "4559": "Undefined Access (no effect) Bit 15" - "4560": "Force thread termination" - "4561": "Suspend or resume thread" - "4562": "Send an alert to thread" - "4563": "Get thread context" - "4564": "Set thread context" - "4565": "Set thread information" - "4566": "Query thread information" - "4567": "Assign a token to the thread" - "4568": "Cause thread to directly impersonate another thread" - "4569": "Directly impersonate this thread" - "4570": "Undefined Access (no effect) Bit 10" - "4571": "Undefined Access (no effect) Bit 11" - "4572": "Undefined Access (no effect) Bit 12" - "4573": "Undefined Access (no effect) Bit 13" - "4574": "Undefined Access (no effect) Bit 14" - "4575": "Undefined Access (no effect) Bit 15" - "4576": "Query timer state" - "4577": "Modify timer state" - "4578": "Undefined Access (no effect) Bit 2" - "4579": "Undefined Access (no effect) Bit 3" - "4580": "Undefined Access (no effect) Bit 4" - "4581": "Undefined Access (no effect) Bit 5" - "4582": "Undefined Access (no effect) Bit 6" - "4584": "Undefined Access (no effect) Bit 8" - "4585": "Undefined Access (no effect) Bit 9" - "4586": "Undefined Access (no effect) Bit 10" - "4587": "Undefined Access (no effect) Bit 11" - "4588": "Undefined Access (no effect) Bit 12" - "4589": "Undefined Access (no effect) Bit 13" - "4590": "Undefined Access (no effect) Bit 14" - "4591": "Undefined Access (no effect) Bit 15" - "4592": "AssignAsPrimary" - "4593": "Duplicate" - "4594": "Impersonate" - "4595": "Query" - "4596": "QuerySource" - "4597": "AdjustPrivileges" - "4598": "AdjustGroups" - "4599": "AdjustDefaultDacl" - "4600": "AdjustSessionID" - "4601": "Undefined Access (no effect) Bit 9" - "4602": "Undefined Access (no effect) Bit 10" - "4603": "Undefined Access (no effect) Bit 11" - "4604": "Undefined Access (no effect) Bit 12" - "4605": "Undefined Access (no effect) Bit 13" - "4606": "Undefined Access (no effect) Bit 14" - "4607": "Undefined Access (no effect) Bit 15" - "4608": "Create instance of object type" - "4609": "Undefined Access (no effect) Bit 1" - "4610": "Undefined Access (no effect) Bit 2" - "4611": "Undefined Access (no effect) Bit 3" - "4612": "Undefined Access (no effect) Bit 4" - "4613": "Undefined Access (no effect) Bit 5" - "4614": "Undefined Access (no effect) Bit 6" - "4615": "Undefined Access (no effect) Bit 7" - "4616": "Undefined Access (no effect) Bit 8" - "4617": "Undefined Access (no effect) Bit 9" - "4618": "Undefined Access (no effect) Bit 10" - "4619": "Undefined Access (no effect) Bit 11" - "4620": "Undefined Access (no effect) Bit 12" - "4621": "Undefined Access (no effect) Bit 13" - "4622": "Undefined Access (no effect) Bit 14" - "4623": "Undefined Access (no effect) Bit 15" - "4864": "Query State" - "4865": "Modify State" - "5120": "Channel read message" - "5121": "Channel write message" - "5122": "Channel query information" - "5123": "Channel set information" - "5124": "Undefined Access (no effect) Bit 4" - "5125": "Undefined Access (no effect) Bit 5" - "5126": "Undefined Access (no effect) Bit 6" - "5127": "Undefined Access (no effect) Bit 7" - "5128": "Undefined Access (no effect) Bit 8" - "5129": "Undefined Access (no effect) Bit 9" - "5130": "Undefined Access (no effect) Bit 10" - "5131": "Undefined Access (no effect) Bit 11" - "5132": "Undefined Access (no effect) Bit 12" - "5133": "Undefined Access (no effect) Bit 13" - "5134": "Undefined Access (no effect) Bit 14" - "5135": "Undefined Access (no effect) Bit 15" - "5136": "Assign process" - "5137": "Set Attributes" - "5138": "Query Attributes" - "5139": "Terminate Job" - "5140": "Set Security Attributes" - "5141": "Undefined Access (no effect) Bit 5" - "5142": "Undefined Access (no effect) Bit 6" - "5143": "Undefined Access (no effect) Bit 7" - "5144": "Undefined Access (no effect) Bit 8" - "5145": "Undefined Access (no effect) Bit 9" - "5146": "Undefined Access (no effect) Bit 10" - "5147": "Undefined Access (no effect) Bit 11" - "5148": "Undefined Access (no effect) Bit 12" - "5149": "Undefined Access (no effect) Bit 13" - "5150": "Undefined Access (no effect) Bit 14" - "5151": "Undefined Access (no effect) Bit 15" - "5376": "ConnectToServer" - "5377": "ShutdownServer" - "5378": "InitializeServer" - "5379": "CreateDomain" - "5380": "EnumerateDomains" - "5381": "LookupDomain" - "5382": "Undefined Access (no effect) Bit 6" - "5383": "Undefined Access (no effect) Bit 7" - "5384": "Undefined Access (no effect) Bit 8" - "5385": "Undefined Access (no effect) Bit 9" - "5386": "Undefined Access (no effect) Bit 10" - "5387": "Undefined Access (no effect) Bit 11" - "5388": "Undefined Access (no effect) Bit 12" - "5389": "Undefined Access (no effect) Bit 13" - "5390": "Undefined Access (no effect) Bit 14" - "5391": "Undefined Access (no effect) Bit 15" - "5392": "ReadPasswordParameters" - "5393": "WritePasswordParameters" - "5394": "ReadOtherParameters" - "5395": "WriteOtherParameters" - "5396": "CreateUser" - "5397": "CreateGlobalGroup" - "5398": "CreateLocalGroup" - "5399": "GetLocalGroupMembership" - "5400": "ListAccounts" - "5401": "LookupIDs" - "5402": "AdministerServer" - "5403": "Undefined Access (no effect) Bit 11" - "5404": "Undefined Access (no effect) Bit 12" - "5405": "Undefined Access (no effect) Bit 13" - "5406": "Undefined Access (no effect) Bit 14" - "5407": "Undefined Access (no effect) Bit 15" - "5408": "ReadInformation" - "5409": "WriteAccount" - "5410": "AddMember" - "5411": "RemoveMember" - "5412": "ListMembers" - "5413": "Undefined Access (no effect) Bit 5" - "5414": "Undefined Access (no effect) Bit 6" - "5415": "Undefined Access (no effect) Bit 7" - "5416": "Undefined Access (no effect) Bit 8" - "5417": "Undefined Access (no effect) Bit 9" - "5418": "Undefined Access (no effect) Bit 10" - "5419": "Undefined Access (no effect) Bit 11" - "5420": "Undefined Access (no effect) Bit 12" - "5421": "Undefined Access (no effect) Bit 13" - "5422": "Undefined Access (no effect) Bit 14" - "5423": "Undefined Access (no effect) Bit 15" - "5424": "AddMember" - "5425": "RemoveMember" - "5426": "ListMembers" - "5427": "ReadInformation" - "5428": "WriteAccount" - "5429": "Undefined Access (no effect) Bit 5" - "5430": "Undefined Access (no effect) Bit 6" - "5431": "Undefined Access (no effect) Bit 7" - "5432": "Undefined Access (no effect) Bit 8" - "5433": "Undefined Access (no effect) Bit 9" - "5434": "Undefined Access (no effect) Bit 10" - "5435": "Undefined Access (no effect) Bit 11" - "5436": "Undefined Access (no effect) Bit 12" - "5437": "Undefined Access (no effect) Bit 13" - "5438": "Undefined Access (no effect) Bit 14" - "5439": "Undefined Access (no effect) Bit 15" - "5440": "ReadGeneralInformation" - "5441": "ReadPreferences" - "5442": "WritePreferences" - "5443": "ReadLogon" - "5444": "ReadAccount" - "5445": "WriteAccount" - "5446": "ChangePassword (with knowledge of old password)" - "5447": "SetPassword (without knowledge of old password)" - "5448": "ListGroups" - "5449": "ReadGroupMembership" - "5450": "ChangeGroupMembership" - "5451": "Undefined Access (no effect) Bit 11" - "5452": "Undefined Access (no effect) Bit 12" - "5453": "Undefined Access (no effect) Bit 13" - "5454": "Undefined Access (no effect) Bit 14" - "5455": "Undefined Access (no effect) Bit 15" - "5632": "View non-sensitive policy information" - "5633": "View system audit requirements" - "5634": "Get sensitive policy information" - "5635": "Modify domain trust relationships" - "5636": "Create special accounts (for assignment of user rights)" - "5637": "Create a secret object" - "5638": "Create a privilege" - "5639": "Set default quota limits" - "5640": "Change system audit requirements" - "5641": "Administer audit log attributes" - "5642": "Enable/Disable LSA" - "5643": "Lookup Names/SIDs" - "5648": "Change secret value" - "5649": "Query secret value" - "5650": "Undefined Access (no effect) Bit 2" - "5651": "Undefined Access (no effect) Bit 3" - "5652": "Undefined Access (no effect) Bit 4" - "5653": "Undefined Access (no effect) Bit 5" - "5654": "Undefined Access (no effect) Bit 6" - "5655": "Undefined Access (no effect) Bit 7" - "5656": "Undefined Access (no effect) Bit 8" - "5657": "Undefined Access (no effect) Bit 9" - "5658": "Undefined Access (no effect) Bit 10" - "5659": "Undefined Access (no effect) Bit 11" - "5660": "Undefined Access (no effect) Bit 12" - "5661": "Undefined Access (no effect) Bit 13" - "5662": "Undefined Access (no effect) Bit 14" - "5663": "Undefined Access (no effect) Bit 15" - "5664": "Query trusted domain name/SID" - "5665": "Retrieve the controllers in the trusted domain" - "5666": "Change the controllers in the trusted domain" - "5667": "Query the Posix ID offset assigned to the trusted domain" - "5668": "Change the Posix ID offset assigned to the trusted domain" - "5669": "Undefined Access (no effect) Bit 5" - "5670": "Undefined Access (no effect) Bit 6" - "5671": "Undefined Access (no effect) Bit 7" - "5672": "Undefined Access (no effect) Bit 8" - "5673": "Undefined Access (no effect) Bit 9" - "5674": "Undefined Access (no effect) Bit 10" - "5675": "Undefined Access (no effect) Bit 11" - "5676": "Undefined Access (no effect) Bit 12" - "5677": "Undefined Access (no effect) Bit 13" - "5678": "Undefined Access (no effect) Bit 14" - "5679": "Undefined Access (no effect) Bit 15" - "5680": "Query account information" - "5681": "Change privileges assigned to account" - "5682": "Change quotas assigned to account" - "5683": "Change logon capabilities assigned to account" - "5684": "Change the Posix ID offset assigned to the accounted domain" - "5685": "Undefined Access (no effect) Bit 5" - "5686": "Undefined Access (no effect) Bit 6" - "5687": "Undefined Access (no effect) Bit 7" - "5688": "Undefined Access (no effect) Bit 8" - "5689": "Undefined Access (no effect) Bit 9" - "5690": "Undefined Access (no effect) Bit 10" - "5691": "Undefined Access (no effect) Bit 11" - "5692": "Undefined Access (no effect) Bit 12" - "5693": "Undefined Access (no effect) Bit 13" - "5694": "Undefined Access (no effect) Bit 14" - "5695": "Undefined Access (no effect) Bit 15" - "5696": "KeyedEvent Wait" - "5697": "KeyedEvent Wake" - "5698": "Undefined Access (no effect) Bit 2" - "5699": "Undefined Access (no effect) Bit 3" - "5700": "Undefined Access (no effect) Bit 4" - "5701": "Undefined Access (no effect) Bit 5" - "5702": "Undefined Access (no effect) Bit 6" - "5703": "Undefined Access (no effect) Bit 7" - "5704": "Undefined Access (no effect) Bit 8" - "5705": "Undefined Access (no effect) Bit 9" - "5706": "Undefined Access (no effect) Bit 10" - "5707": "Undefined Access (no effect) Bit 11" - "5708": "Undefined Access (no effect) Bit 12" - "5709": "Undefined Access (no effect) Bit 13" - "5710": "Undefined Access (no effect) Bit 14" - "5711": "Undefined Access (no effect) Bit 15" - "6656": "Enumerate desktops" - "6657": "Read attributes" - "6658": "Access Clipboard" - "6659": "Create desktop" - "6660": "Write attributes" - "6661": "Access global atoms" - "6662": "Exit windows" - "6663": "Unused Access Flag" - "6664": "Include this windowstation in enumerations" - "6665": "Read screen" - "6672": "Read Objects" - "6673": "Create window" - "6674": "Create menu" - "6675": "Hook control" - "6676": "Journal (record)" - "6677": "Journal (playback)" - "6678": "Include this desktop in enumerations" - "6679": "Write objects" - "6680": "Switch to this desktop" - "6912": "Administer print server" - "6913": "Enumerate printers" - "6930": "Full Control" - "6931": "Print" - "6948": "Administer Document" - "7168": "Connect to service controller" - "7169": "Create a new service" - "7170": "Enumerate services" - "7171": "Lock service database for exclusive access" - "7172": "Query service database lock state" - "7173": "Set last-known-good state of service database" - "7184": "Query service configuration information" - "7185": "Set service configuration information" - "7186": "Query status of service" - "7187": "Enumerate dependencies of service" - "7188": "Start the service" - "7189": "Stop the service" - "7190": "Pause or continue the service" - "7191": "Query information from service" - "7192": "Issue service-specific control commands" - "7424": "DDE Share Read" - "7425": "DDE Share Write" - "7426": "DDE Share Initiate Static" - "7427": "DDE Share Initiate Link" - "7428": "DDE Share Request" - "7429": "DDE Share Advise" - "7430": "DDE Share Poke" - "7431": "DDE Share Execute" - "7432": "DDE Share Add Items" - "7433": "DDE Share List Items" - "7680": "Create Child" - "7681": "Delete Child" - "7682": "List Contents" - "7683": "Write Self" - "7684": "Read Property" - "7685": "Write Property" - "7686": "Delete Tree" - "7687": "List Object" - "7688": "Control Access" - "7689": "Undefined Access (no effect) Bit 9" - "7690": "Undefined Access (no effect) Bit 10" - "7691": "Undefined Access (no effect) Bit 11" - "7692": "Undefined Access (no effect) Bit 12" - "7693": "Undefined Access (no effect) Bit 13" - "7694": "Undefined Access (no effect) Bit 14" - "7695": "Undefined Access (no effect) Bit 15" - "7936": "Audit Set System Policy" - "7937": "Audit Query System Policy" - "7938": "Audit Set Per User Policy" - "7939": "Audit Query Per User Policy" - "7940": "Audit Enumerate Users" - "7941": "Audit Set Options" - "7942": "Audit Query Options" - "8064": "Port sharing (read)" - "8065": "Port sharing (write)" - "8096": "Default credentials" - "8097": "Credentials manager" - "8098": "Fresh credentials" - "8192": "Kerberos" - "8193": "Preshared key" - "8194": "Unknown authentication" - "8195": "DES" - "8196": "3DES" - "8197": "MD5" - "8198": "SHA1" - "8199": "Local computer" - "8200": "Remote computer" - "8201": "No state" - "8202": "Sent first (SA) payload" - "8203": "Sent second (KE) payload" - "8204": "Sent third (ID) payload" - "8205": "Initiator" - "8206": "Responder" - "8207": "No state" - "8208": "Sent first (SA) payload" - "8209": "Sent final payload" - "8210": "Complete" - "8211": "Unknown" - "8212": "Transport" - "8213": "Tunnel" - "8214": "IKE/AuthIP DoS prevention mode started" - "8215": "IKE/AuthIP DoS prevention mode stopped" - "8216": "Enabled" - "8217": "Not enabled" - "8218": "No state" - "8219": "Sent first (EM attributes) payload" - "8220": "Sent second (SSPI) payload" - "8221": "Sent third (hash) payload" - "8222": "IKEv1" - "8223": "AuthIP" - "8224": "Anonymous" - "8225": "NTLM V2" - "8226": "CGA" - "8227": "Certificate" - "8228": "SSL" - "8229": "None" - "8230": "DH group 1" - "8231": "DH group 2" - "8232": "DH group 14" - "8233": "DH group ECP 256" - "8234": "DH group ECP 384" - "8235": "AES-128" - "8236": "AES-192" - "8237": "AES-256" - "8238": "Certificate ECDSA P256" - "8239": "Certificate ECDSA P384" - "8240": "SSL ECDSA P256" - "8241": "SSL ECDSA P384" - "8242": "SHA 256" - "8243": "SHA 384" - "8244": "IKEv2" - "8245": "EAP payload sent" - "8246": "Authentication payload sent" - "8247": "EAP" - "8248": "DH group 24" - "8272": "System" - "8273": "Logon/Logoff" - "8274": "Object Access" - "8275": "Privilege Use" - "8276": "Detailed Tracking" - "8277": "Policy Change" - "8278": "Account Management" - "8279": "DS Access" - "8280": "Account Logon" - "8448": "Success removed" - "8449": "Success Added" - "8450": "Failure removed" - "8451": "Failure Added" - "8452": "Success include removed" - "8453": "Success include added" - "8454": "Success exclude removed" - "8455": "Success exclude added" - "8456": "Failure include removed" - "8457": "Failure include added" - "8458": "Failure exclude removed" - "8459": "Failure exclude added" - "12288": "Security State Change" - "12289": "Security System Extension" - "12290": "System Integrity" - "12291": "IPsec Driver" - "12292": "Other System Events" - "12544": "Logon" - "12545": "Logoff" - "12546": "Account Lockout" - "12547": "IPsec Main Mode" - "12548": "Special Logon" - "12549": "IPsec Quick Mode" - "12550": "IPsec Extended Mode" - "12551": "Other Logon/Logoff Events" - "12552": "Network Policy Server" - "12553": "User / Device Claims" - "12554": "Group Membership" - "12800": "File System" - "12801": "Registry" - "12802": "Kernel Object" - "12803": "SAM" - "12804": "Other Object Access Events" - "12805": "Certification Services" - "12806": "Application Generated" - "12807": "Handle Manipulation" - "12808": "File Share" - "12809": "Filtering Platform Packet Drop" - "12810": "Filtering Platform Connection" - "12811": "Detailed File Share" - "12812": "Removable Storage" - "12813": "Central Policy Staging" - "13056": "Sensitive Privilege Use" - "13057": "Non Sensitive Privilege Use" - "13058": "Other Privilege Use Events" - "13312": "Process Creation" - "13313": "Process Termination" - "13314": "DPAPI Activity" - "13315": "RPC Events" - "13316": "Plug and Play Events" - "13317": "Token Right Adjusted Events" - "13568": "Audit Policy Change" - "13569": "Authentication Policy Change" - "13570": "Authorization Policy Change" - "13571": "MPSSVC Rule-Level Policy Change" - "13572": "Filtering Platform Policy Change" - "13573": "Other Policy Change Events" - "13824": "User Account Management" - "13825": "Computer Account Management" - "13826": "Security Group Management" - "13827": "Distribution Group Management" - "13828": "Application Group Management" - "13829": "Other Account Management Events" - "14080": "Directory Service Access" - "14081": "Directory Service Changes" - "14082": "Directory Service Replication" - "14083": "Detailed Directory Service Replication" - "14336": "Credential Validation" - "14337": "Kerberos Service Ticket Operations" - "14338": "Other Account Logon Events" - "14339": "Kerberos Authentication Service" - "14592": "Inbound" - "14593": "Outbound" - "14594": "Forward" - "14595": "Bidirectional" - "14596": "IP Packet" - "14597": "Transport" - "14598": "Forward" - "14599": "Stream" - "14600": "Datagram Data" - "14601": "ICMP Error" - "14602": "MAC 802.3" - "14603": "MAC Native" - "14604": "vSwitch" - "14608": "Resource Assignment" - "14609": "Listen" - "14610": "Receive/Accept" - "14611": "Connect" - "14612": "Flow Established" - "14614": "Resource Release" - "14615": "Endpoint Closure" - "14616": "Connect Redirect" - "14617": "Bind Redirect" - "14624": "Stream Packet" - "14640": "ICMP Echo-Request" - "14641": "vSwitch Ingress" - "14642": "vSwitch Egress" - "14672": "" - "14673": "[NULL]" - "14674": "Value Added" - "14675": "Value Deleted" - "14676": "Active Directory Domain Services" - "14677": "Active Directory Lightweight Directory Services" - "14678": "Yes" - "14679": "No" - "14680": "Value Added With Expiration Time" - "14681": "Value Deleted With Expiration Time" - "14688": "Value Auto Deleted With Expiration Time" - "16384": "Add" - "16385": "Delete" - "16386": "Boot-time" - "16387": "Persistent" - "16388": "Not persistent" - "16389": "Block" - "16390": "Permit" - "16391": "Callout" - "16392": "MD5" - "16393": "SHA-1" - "16394": "SHA-256" - "16395": "AES-GCM 128" - "16396": "AES-GCM 192" - "16397": "AES-GCM 256" - "16398": "DES" - "16399": "3DES" - "16400": "AES-128" - "16401": "AES-192" - "16402": "AES-256" - "16403": "Transport" - "16404": "Tunnel" - "16405": "Responder" - "16406": "Initiator" - "16407": "AES-GMAC 128" - "16408": "AES-GMAC 192" - "16409": "AES-GMAC 256" - "16416": "AuthNoEncap Transport" - "16896": "Enable WMI Account" - "16897": "Execute Method" - "16898": "Full Write" - "16899": "Partial Write" - "16900": "Provider Write" - "16901": "Remote Access" - "16902": "Subscribe" - "16903": "Publish" - reversed_descriptions: - "..." : ["1831"] - "3DES" : ["8196","16399"] - "64-bit Integer" : ["1820"] - "" : ["14672"] - "" : ["1800"] - "" : ["1794"] - "" : ["1793"] - "ACCESS_SYS_SEC" : ["1542"] - "AES-128" : ["16400","8235"] - "AES-192" : ["8236","16401"] - "AES-256" : ["16402","8237"] - "AES-GCM 128" : ["16395"] - "AES-GCM 192" : ["16396"] - "AES-GCM 256" : ["16397"] - "AES-GMAC 128" : ["16407"] - "AES-GMAC 192" : ["16408"] - "AES-GMAC 256" : ["16409"] - "Access Clipboard" : ["6658"] - "Access global atoms" : ["6661"] - "Account Disabled" : ["2080"] - "Account Enabled" : ["2048"] - "Account Locked" : ["2090"] - "Account Lockout" : ["12546"] - "Account Logon" : ["8280"] - "Account Management" : ["8278"] - "Account Unlocked" : ["2058"] - "Account currently disabled." : ["2310"] - "Account locked out." : ["2307"] - "Account logon time restriction violation." : ["2311"] - "Active Directory Domain Services" : ["14676"] - "Active Directory Lightweight Directory Services" : ["14677"] - "Add" : ["16384"] - "Add context." : ["2491"] - "Add function property." : ["2497"] - "Add function provider." : ["2495"] - "Add function." : ["2493"] - "Add provider." : ["2489"] - "AddMember" : ["5410","5424"] - "AdjustDefaultDacl" : ["4599"] - "AdjustGroups" : ["4598"] - "AdjustPrivileges" : ["4597"] - "AdjustSessionID" : ["4600"] - "Administer Document" : ["6948"] - "Administer audit log attributes" : ["5641"] - "Administer print server" : ["6912"] - "AdministerServer" : ["5402"] - "All" : ["1797"] - "An Error occured during Logon." : ["2304"] - "Anonymous" : ["8224"] - "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] - "Application Generated" : ["12806"] - "Application Group Management" : ["13828"] - "Assign Primary Token Privilege" : ["1603"] - "Assign a token to the thread" : ["4567"] - "Assign process" : ["5136"] - "AssignAsPrimary" : ["4592"] - "Audit Enumerate Users" : ["7940"] - "Audit Policy Change" : ["13568"] - "Audit Policy query/set API Operation" : ["1799"] - "Audit Query Options" : ["7942"] - "Audit Query Per User Policy" : ["7939"] - "Audit Query System Policy" : ["7937"] - "Audit Set Options" : ["7941"] - "Audit Set Per User Policy" : ["7938"] - "Audit Set System Policy" : ["7936"] - "AuthIP" : ["8223"] - "AuthNoEncap Transport" : ["16416"] - "Authentication Policy Change" : ["13569"] - "Authentication payload sent" : ["8246"] - "Authorization Policy Change" : ["13570"] - "Auto" : ["1849"] - "Backup Privilege" : ["1617"] - "Bidirectional" : ["14595"] - "Bind Redirect" : ["14617"] - "Blob" : ["1822"] - "Block" : ["16389"] - "Boolean" : ["1824"] - "Boot-time" : ["16386"] - "CGA" : ["8226"] - "Callout" : ["16391"] - "Cause thread to directly impersonate another thread" : ["4568"] - "Central Policy Staging" : ["12813"] - "Certificate" : ["8227"] - "Certificate ECDSA P256" : ["8238"] - "Certificate ECDSA P384" : ["8239"] - "Certification Services" : ["12805"] - "Change Hardware Environment Privilege" : ["1622"] - "Change Notify (and Traverse) Privilege" : ["1623"] - "Change logon capabilities assigned to account" : ["5683"] - "Change privileges assigned to account" : ["5681"] - "Change quotas assigned to account" : ["5682"] - "Change secret value" : ["5648"] - "Change system audit requirements" : ["5640"] - "Change the Posix ID offset assigned to the accounted domain" : ["5684"] - "Change the Posix ID offset assigned to the trusted domain" : ["5668"] - "Change the controllers in the trusted domain" : ["5666"] - "ChangeGroupMembership" : ["5450"] - "ChangePassword (with knowledge of old password)" : ["5446"] - "Channel query information" : ["5122"] - "Channel read message" : ["5120"] - "Channel set information" : ["5123"] - "Channel write message" : ["5121"] - "Communicate using port" : ["4464"] - "Complete" : ["8210"] - "Computer Account Management" : ["13825"] - "Connect" : ["14611"] - "Connect Redirect" : ["14616"] - "Connect to service controller" : ["7168"] - "ConnectToServer" : ["5376"] - "Control Access" : ["7688"] - "Control profile" : ["4496"] - "Create Child" : ["7680"] - "Create Key." : ["2481"] - "Create Link" : ["4437"] - "Create Pagefile Privilege" : ["1615"] - "Create Permanent Object Privilege" : ["1616"] - "Create a new service" : ["7169"] - "Create a privilege" : ["5638"] - "Create a secret object" : ["5637"] - "Create a subprocess of process" : ["4487"] - "Create desktop" : ["6659"] - "Create instance of object type" : ["4608"] - "Create menu" : ["6674"] - "Create new thread in process" : ["4481"] - "Create object in directory" : ["4370"] - "Create special accounts (for assignment of user rights)" : ["5636"] - "Create sub-directory" : ["4371"] - "Create sub-key" : ["4434"] - "Create window" : ["6673"] - "CreateDomain" : ["5379"] - "CreateGlobalGroup" : ["5397"] - "CreateLocalGroup" : ["5398"] - "CreateUser" : ["5396"] - "Credential Validation" : ["14336"] - "Credentials manager" : ["8097"] - "DDE Share Add Items" : ["7432"] - "DDE Share Advise" : ["7429"] - "DDE Share Execute" : ["7431"] - "DDE Share Initiate Link" : ["7427"] - "DDE Share Initiate Static" : ["7426"] - "DDE Share List Items" : ["7433"] - "DDE Share Poke" : ["7430"] - "DDE Share Read" : ["7424"] - "DDE Share Request" : ["7428"] - "DDE Share Write" : ["7425"] - "DELETE" : ["1537"] - "DES" : ["16398","8195"] - "DH group 1" : ["8230"] - "DH group 14" : ["8232"] - "DH group 2" : ["8231"] - "DH group 24" : ["8248"] - "DH group ECP 256" : ["8233"] - "DH group ECP 384" : ["8234"] - "DPAPI Activity" : ["13314"] - "DS Access" : ["8279"] - "Datagram Data" : ["14600"] - "Debug Privilege" : ["1620"] - "Decrypt." : ["2484"] - "Default" : ["1846"] - "Default credentials" : ["8096"] - "Delegation" : ["1840"] - "Delete" : ["16385"] - "Delete Child" : ["7681"] - "Delete Key." : ["2482"] - "Delete Tree" : ["7686"] - "Delete key file." : ["2457"] - "DeleteChild" : ["4422"] - "Denied by" : ["1802"] - "Denied by ACE on parent folder" : ["1812"] - "Denied by Empty DACL" : ["1807"] - "Denied by Integrity Policy check" : ["1803"] - "Denied by Process Trust Label ACE" : ["1841"] - "Detailed Directory Service Replication" : ["14083"] - "Detailed File Share" : ["12811"] - "Detailed Tracking" : ["8276"] - "Device Access Bit 0" : ["4352"] - "Device Access Bit 1" : ["4353"] - "Device Access Bit 2" : ["4354"] - "Device Access Bit 3" : ["4355"] - "Device Access Bit 4" : ["4356"] - "Device Access Bit 5" : ["4357"] - "Device Access Bit 6" : ["4358"] - "Device Access Bit 7" : ["4359"] - "Device Access Bit 8" : ["4360"] - "Directly impersonate this thread" : ["4569"] - "Directory Service Access" : ["14080"] - "Directory Service Changes" : ["14081"] - "Directory Service Replication" : ["14082"] - "Disabled" : ["1796"] - "DisallowMmConfig" : ["1847"] - "Distribution Group Management" : ["13827"] - "Domain settings" : ["2487"] - "Domain sid inconsistent." : ["2314"] - "Don't Expire Password' - Disabled" : ["2057"] - "Don't Expire Password' - Enabled" : ["2089"] - "Don't Require Preauth' - Disabled" : ["2064"] - "Don't Require Preauth' - Enabled" : ["2096"] - "Duplicate" : ["4593"] - "Duplicate handle into or out of process" : ["4486"] - "EAP" : ["8247"] - "EAP payload sent" : ["8245"] - "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] - "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] - "Enable WMI Account" : ["16896"] - "Enable/Disable LSA" : ["5642"] - "Enabled" : ["1795","8216"] - "Encrypt." : ["2483"] - "Encrypted Text Password Allowed' - Disabled" : ["2059"] - "Encrypted Text Password Allowed' - Enabled" : ["2091"] - "Endpoint Closure" : ["14615"] - "Enumerate dependencies of service" : ["7187"] - "Enumerate desktops" : ["6656"] - "Enumerate printers" : ["6913"] - "Enumerate services" : ["7170"] - "Enumerate sub-keys" : ["4435"] - "EnumerateDomains" : ["5380"] - "Exclude Authorization Information' - Disabled" : ["2067"] - "Exclude Authorization Information' - Enabled" : ["2099"] - "Execute Method" : ["16897"] - "Execute/Traverse" : ["4421"] - "Existing registry value modified" : ["1905"] - "Exit windows" : ["6662"] - "Export of persistent cryptographic key." : ["2464"] - "Extend size" : ["4516"] - "FALSE" : ["1826"] - "FQBN" : ["1821"] - "Failed to unprotect persistent cryptographic key." : ["2448"] - "Failed to zero secret data." : ["2438"] - "Failure Added" : ["8451"] - "Failure exclude added" : ["8459"] - "Failure exclude removed" : ["8458"] - "Failure include added" : ["8457"] - "Failure include removed" : ["8456"] - "Failure removed" : ["8450"] - "File Share" : ["12808"] - "File System" : ["12800"] - "Filtering Platform Connection" : ["12810"] - "Filtering Platform Packet Drop" : ["12809"] - "Filtering Platform Policy Change" : ["13572"] - "Flow Established" : ["14612"] - "Force process termination" : ["4480"] - "Force thread termination" : ["4560"] - "Forward" : ["14598","14594"] - "Fresh credentials" : ["8098"] - "Friday" : ["1925"] - "Full Control" : ["6930"] - "Full Write" : ["16898"] - "Get sensitive policy information" : ["5634"] - "Get thread context" : ["4563"] - "GetLocalGroupMembership" : ["5399"] - "Granted by" : ["1801"] - "Granted by ACE on parent folder" : ["1811"] - "Granted by Central Access Rule" : ["1813"] - "Granted by NULL DACL" : ["1806"] - "Granted by NULL Security Descriptor" : ["1808"] - "Granted by Ownership" : ["1804"] - "Granted by parent folder's Central Access Rule" : ["1815"] - "Group Membership" : ["12554"] - "Handle Manipulation" : ["12807"] - "Home Directory Required' - Disabled" : ["2049"] - "Home Directory Required' - Enabled" : ["2081"] - "Hook control" : ["6675"] - "ICMP Echo-Request" : ["14640"] - "ICMP Error" : ["14601"] - "IKE/AuthIP DoS prevention mode started" : ["8214"] - "IKE/AuthIP DoS prevention mode stopped" : ["8215"] - "IKEv1" : ["8222"] - "IKEv2" : ["8244"] - "IP Packet" : ["14596"] - "IPsec Driver" : ["12291"] - "IPsec Extended Mode" : ["12550"] - "IPsec Main Mode" : ["12547"] - "IPsec Quick Mode" : ["12549"] - "Identification" : ["1832"] - "Impersonate" : ["4594"] - "Impersonation" : ["1833"] - "Import of persistent cryptographic key." : ["2465"] - "Inbound" : ["14592"] - "Include this desktop in enumerations" : ["6678"] - "Include this windowstation in enumerations" : ["6664"] - "Increase Memory Quota Privilege" : ["1605"] - "Increment Base Priority Privilege" : ["1614"] - "InitializeServer" : ["5378"] - "Initiator" : ["8205","16406"] - "Interdomain Trust Account' - Disabled" : ["2054"] - "Interdomain Trust Account' - Enabled" : ["2086"] - "Invalid" : ["1827"] - "Issue service-specific control commands" : ["7192"] - "Journal (playback)" : ["6677"] - "Journal (record)" : ["6676"] - "Kerberos" : ["8192"] - "Kerberos Authentication Service" : ["14339"] - "Kerberos Service Ticket Operations" : ["14337"] - "Kernel Object" : ["12802"] - "Key Derivation." : ["2501"] - "Key export checks failed." : ["2449"] - "Key failed pair wise consistency check." : ["2439"] - "KeyedEvent Wait" : ["5696"] - "KeyedEvent Wake" : ["5697"] - "List Contents" : ["7682"] - "List Object" : ["7687"] - "ListAccounts" : ["5400"] - "ListGroups" : ["5448"] - "ListMembers" : ["5412","5426"] - "Listen" : ["14609"] - "Load/Unload Driver Privilege" : ["1610"] - "Local computer" : ["8199"] - "Local settings" : ["2488"] - "Lock Memory Privilege" : ["1604"] - "Lock service database for exclusive access" : ["7171"] - "Logoff" : ["12545"] - "Logon" : ["12544"] - "Logon/Logoff" : ["8273"] - "Lookup Names/SIDs" : ["5643"] - "LookupDomain" : ["5381"] - "LookupIDs" : ["5401"] - "MAC 802.3" : ["14602"] - "MAC Native" : ["14603"] - "MAX_ALLOWED" : ["1543"] - "MD5" : ["16392","8197"] - "MNS Logon Account' - Disabled" : ["2053"] - "MNS Logon Account' - Enabled" : ["2085"] - "MPSSVC Rule-Level Policy Change" : ["13571"] - "Machine key." : ["2499"] - "Map section for execute" : ["4515"] - "Map section for read" : ["4514"] - "Map section for write" : ["4513"] - "Modify State" : ["4865"] - "Modify domain trust relationships" : ["5635"] - "Modify event state" : ["4385"] - "Modify semaphore state" : ["4529"] - "Modify timer state" : ["4577"] - "Monday" : ["1921"] - "NOT Granted by Central Access Rule" : ["1814"] - "NOT Granted by parent folder's Central Access Rule" : ["1816"] - "NTLM V2" : ["8225"] - "Network Policy Server" : ["12552"] - "New registry value created" : ["1904"] - "No" : ["14679","1843"] - "No state" : ["8207","8218","8201"] - "Non Sensitive Privilege Use" : ["13057"] - "None" : ["1798","8229"] - "Normal Account' - Disabled" : ["2052"] - "Normal Account' - Enabled" : ["2084"] - "Not Available" : ["1845"] - "Not Available." : ["2432"] - "Not Delegated' - Disabled" : ["2062"] - "Not Delegated' - Enabled" : ["2094"] - "Not enabled" : ["8217"] - "Not granted" : ["1805"] - "Not granted due to missing" : ["1810"] - "Not granted to AppContainers" : ["1830"] - "Not persistent" : ["16388"] - "Not used" : ["1601"] - "Notify about changes to keys" : ["4436"] - "Object Access" : ["8274"] - "Off" : ["1848"] - "Open Key." : ["2480"] - "Open key file." : ["2456"] - "Other Account Logon Events" : ["14338"] - "Other Account Management Events" : ["13829"] - "Other Logon/Logoff Events" : ["12551"] - "Other Object Access Events" : ["12804"] - "Other Policy Change Events" : ["13573"] - "Other Privilege Use Events" : ["13058"] - "Other System Events" : ["12292"] - "Outbound" : ["14593"] - "Partial Write" : ["16899"] - "Password Expired' - Disabled" : ["2065"] - "Password Expired' - Enabled" : ["2097"] - "Password Not Required' - Disabled" : ["2050"] - "Password Not Required' - Enabled" : ["2082"] - "Pause or continue the service" : ["7190"] - "Perform virtual memory operation" : ["4483"] - "Permit" : ["16390"] - "Persistent" : ["16387"] - "Plug and Play Events" : ["13316"] - "Policy Change" : ["8277"] - "Port sharing (read)" : ["8064"] - "Port sharing (write)" : ["8065"] - "Preshared key" : ["8193"] - "Print" : ["6931"] - "Privilege Use" : ["8275"] - "Process Creation" : ["13312"] - "Process Termination" : ["13313"] - "Profile Single Process Privilege" : ["1613"] - "Profile System Privilege" : ["1611"] - "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] - "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] - "Provider Write" : ["16900"] - "Publish" : ["16903"] - "Query" : ["4595"] - "Query Attributes" : ["5138"] - "Query State" : ["4864"] - "Query account information" : ["5680"] - "Query directory" : ["4368"] - "Query event state" : ["4384"] - "Query information from service" : ["7191"] - "Query key value" : ["4432"] - "Query mutant state" : ["4448"] - "Query process information" : ["4490"] - "Query secret value" : ["5649"] - "Query section state" : ["4512"] - "Query semaphore state" : ["4528"] - "Query service configuration information" : ["7184"] - "Query service database lock state" : ["7172"] - "Query status of service" : ["7186"] - "Query the Posix ID offset assigned to the trusted domain" : ["5667"] - "Query thread information" : ["4566"] - "Query timer state" : ["4576"] - "Query trusted domain name/SID" : ["5664"] - "QuerySource" : ["4596"] - "READ_CONTROL" : ["1538"] - "REG_BINARY" : ["1875"] - "REG_DWORD" : ["1876"] - "REG_DWORD_BIG_ENDIAN" : ["1877"] - "REG_EXPAND_SZ" : ["1874"] - "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] - "REG_LINK" : ["1878"] - "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] - "REG_NONE" : ["1872"] - "REG_QWORD" : ["1883"] - "REG_RESOURCE_LIST" : ["1880"] - "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] - "REG_SZ" : ["1873"] - "RPC Events" : ["13315"] - "Random number generation failed FIPS-140 pre-hash check." : ["2437"] - "Random number generator failure." : ["2436"] - "Read Objects" : ["6672"] - "Read Property" : ["7684"] - "Read attributes" : ["6657"] - "Read from process memory" : ["4484"] - "Read persisted key from file." : ["2458"] - "Read screen" : ["6665"] - "ReadAccount" : ["5444"] - "ReadAttributes" : ["4423"] - "ReadData (or ListDirectory)" : ["4416"] - "ReadEA" : ["4419"] - "ReadGeneralInformation" : ["5440"] - "ReadGroupMembership" : ["5449"] - "ReadInformation" : ["5427","5408"] - "ReadLogon" : ["5443"] - "ReadOtherParameters" : ["5394"] - "ReadPasswordParameters" : ["5392"] - "ReadPreferences" : ["5441"] - "Receive/Accept" : ["14610"] - "Registry" : ["12801"] - "Registry value deleted" : ["1906"] - "Remote Access" : ["16901"] - "Remote computer" : ["8200"] - "Remotely Shut System Down Privilege" : ["1624"] - "Removable Storage" : ["12812"] - "Remove context." : ["2492"] - "Remove function property." : ["2498"] - "Remove function provider." : ["2496"] - "Remove function." : ["2494"] - "Remove provider." : ["2490"] - "RemoveMember" : ["5425","5411"] - "Resource Assignment" : ["14608"] - "Resource Release" : ["14614"] - "Responder" : ["16405","8206"] - "Restore From Backup Privilege" : ["1618"] - "Retrieve the controllers in the trusted domain" : ["5665"] - "SAM" : ["12803"] - "SHA 256" : ["8242"] - "SHA 384" : ["8243"] - "SHA-1" : ["16393"] - "SHA-256" : ["16394"] - "SHA1" : ["8198"] - "SSL" : ["8228"] - "SSL ECDSA P256" : ["8240"] - "SSL ECDSA P384" : ["8241"] - "SYNCHRONIZE" : ["1541"] - "Saturday" : ["1926"] - "Secret agreement." : ["2486"] - "Security Group Management" : ["13826"] - "Security Privilege" : ["1608"] - "Security State Change" : ["12288"] - "Security System Extension" : ["12289"] - "Send an alert to thread" : ["4562"] - "Sensitive Privilege Use" : ["13056"] - "Sent final payload" : ["8209"] - "Sent first (EM attributes) payload" : ["8219"] - "Sent first (SA) payload" : ["8208","8202"] - "Sent second (KE) payload" : ["8203"] - "Sent second (SSPI) payload" : ["8220"] - "Sent third (ID) payload" : ["8204"] - "Sent third (hash) payload" : ["8221"] - "Server Trust Account' - Disabled" : ["2056"] - "Server Trust Account' - Enabled" : ["2088"] - "Set Attributes" : ["5137"] - "Set Security Attributes" : ["5140"] - "Set System Time Privilege" : ["1612"] - "Set default quota limits" : ["5639"] - "Set key value" : ["4433"] - "Set last-known-good state of service database" : ["7173"] - "Set process information" : ["4489"] - "Set process quotas" : ["4488"] - "Set process session ID" : ["4482"] - "Set process termination port" : ["4491"] - "Set service configuration information" : ["7185"] - "Set thread context" : ["4564"] - "Set thread information" : ["4565"] - "SetPassword (without knowledge of old password)" : ["5447"] - "Shutdown System Privilege" : ["1619"] - "ShutdownServer" : ["5377"] - "Sid" : ["1823"] - "Sign hash." : ["2485"] - "Signature verification failed." : ["2451"] - "Smartcard Required' - Disabled" : ["2060"] - "Smartcard Required' - Enabled" : ["2092"] - "Smartcard logon is required and was not used." : ["2315"] - "Special Logon" : ["12548"] - "Start the service" : ["7188"] - "Stop the service" : ["7189"] - "Stream" : ["14599"] - "Stream Packet" : ["14624"] - "String" : ["1818"] - "Subscribe" : ["16902"] - "Success Added" : ["8449"] - "Success exclude added" : ["8455"] - "Success exclude removed" : ["8454"] - "Success include added" : ["8453"] - "Success include removed" : ["8452"] - "Success removed" : ["8448"] - "Sunday" : ["1920"] - "Suspend or resume thread" : ["4561"] - "Switch to this desktop" : ["6680"] - "System" : ["1844","8272"] - "System Integrity" : ["12290"] - "TRUE" : ["1825"] - "Take Ownership Privilege" : ["1609"] - "Temp Duplicate Account' - Disabled" : ["2051"] - "Temp Duplicate Account' - Enabled" : ["2083"] - "Terminate Job" : ["5139"] - "The NetLogon component is not active." : ["2306"] - "The specified account's password has expired." : ["2309"] - "The specified user account has expired." : ["2305"] - "The user has not been granted the requested logon type at this machine." : ["2308"] - "Thursday" : ["1924"] - "Token Right Adjusted Events" : ["13317"] - "TokenElevationTypeDefault (1)" : ["1936"] - "TokenElevationTypeFull (2)" : ["1937"] - "TokenElevationTypeLimited (3)" : ["1938"] - "Transport" : ["14597","16403","8212"] - "Traverse" : ["4369"] - "Trusted Computer Base Privilege" : ["1607"] - "Trusted For Delegation' - Disabled" : ["2061"] - "Trusted For Delegation' - Enabled" : ["2093"] - "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] - "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] - "Tuesday" : ["1922"] - "Tunnel" : ["16404","8213"] - "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] - "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] - "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] - "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] - "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] - "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] - "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] - "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] - "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] - "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] - "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] - "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] - "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] - "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] - "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] - "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] - "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] - "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] - "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] - "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] - "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] - "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] - "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] - "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] - "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] - "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] - "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] - "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] - "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] - "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] - "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] - "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] - "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] - "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] - "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] - "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] - "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] - "Unknown" : ["8211"] - "Unknown Type" : ["1817"] - "Unknown authentication" : ["8194"] - "Unknown or unchecked" : ["1809"] - "Unknown specific access (bit 0)" : ["1552"] - "Unknown specific access (bit 1)" : ["1553"] - "Unknown specific access (bit 10)" : ["1562"] - "Unknown specific access (bit 11)" : ["1563"] - "Unknown specific access (bit 12)" : ["1564"] - "Unknown specific access (bit 13)" : ["1565"] - "Unknown specific access (bit 14)" : ["1566"] - "Unknown specific access (bit 15)" : ["1567"] - "Unknown specific access (bit 2)" : ["1554"] - "Unknown specific access (bit 3)" : ["1555"] - "Unknown specific access (bit 4)" : ["1556"] - "Unknown specific access (bit 5)" : ["1557"] - "Unknown specific access (bit 6)" : ["1558"] - "Unknown specific access (bit 7)" : ["1559"] - "Unknown specific access (bit 8)" : ["1560"] - "Unknown specific access (bit 9)" : ["1561"] - "Unknown user name or bad password." : ["2313"] - "Unsigned 64-bit Integer" : ["1819"] - "Unsolicited Input Privilege" : ["1606"] - "Unused Access Flag" : ["6663"] - "Unused message ID" : ["1536"] - "Use DES Key Only' - Disabled" : ["2063"] - "Use DES Key Only' - Enabled" : ["2095"] - "Use symbolic link" : ["4544"] - "User / Device Claims" : ["12553"] - "User Account Management" : ["13824"] - "User key." : ["2500"] - "User not allowed to logon at this computer." : ["2312"] - "Validation of public key failed." : ["2450"] - "Value Added" : ["14674"] - "Value Added With Expiration Time" : ["14680"] - "Value Auto Deleted With Expiration Time" : ["14688"] - "Value Deleted" : ["14675"] - "Value Deleted With Expiration Time" : ["14681"] - "View non-sensitive policy information" : ["5632"] - "View or Change Audit Log Privilege" : ["1621"] - "View system audit requirements" : ["5633"] - "WRITE_DAC" : ["1539"] - "WRITE_OWNER" : ["1540"] - "Wednesday" : ["1923"] - "Workstation Trust Account' - Disabled" : ["2055"] - "Workstation Trust Account' - Enabled" : ["2087"] - "Write Property" : ["7685"] - "Write Self" : ["7683"] - "Write attributes" : ["6660"] - "Write objects" : ["6679"] - "Write persisted key to file." : ["2459"] - "Write to process memory" : ["4485"] - "WriteAccount" : ["5409","5445","5428"] - "WriteAttributes" : ["4424"] - "WriteData (or AddFile)" : ["4417"] - "WriteEA" : ["4420"] - "WriteOtherParameters" : ["5395"] - "WritePasswordParameters" : ["5393"] - "WritePreferences" : ["5442"] - "Yes" : ["1842","14678"] - "[NULL]" : ["14673"] - "a Security Descriptor too long to display" : ["1829"] - "an ACE too long to display" : ["1828"] - "vSwitch" : ["14604"] - "vSwitch Egress" : ["14642"] - "vSwitch Ingress" : ["14641"] - AccessMaskDescriptions: - "0x00000001": Create Child - "0x00000002": Delete Child - "0x00000004": List Contents - "0x00000008": SELF - "0x00000010": Read Property - "0x00000020": Write Property - "0x00000040": Delete Treee - "0x00000080": List Object - "0x00000100": Control Access - "0x00010000": DELETE - "0x00020000": READ_CONTROL - "0x00040000": WRITE_DAC - "0x00080000": WRITE_OWNER - "0x00100000": SYNCHRONIZE - "0x00F00000": STANDARD_RIGHTS_REQUIRED - "0x001F0000": STANDARD_RIGHTS_ALL - "0x0000FFFF": SPECIFIC_RIGHTS_ALL - "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY - "0x10000000": ADS_RIGHT_GENERIC_ALL - "0x20000000": ADS_RIGHT_GENERIC_EXECUTE - "0x40000000": ADS_RIGHT_GENERIC_WRITE - "0x80000000": ADS_RIGHT_GENERIC_READ - source: |- - def split(String s) { - def f = new ArrayList(); - int last = 0; - for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} - for (def i = last; i < s.length(); i++) { - if (!Character.isWhitespace(s.charAt(i))) { - continue; - } - f.add(s.substring(last, i)); - for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} - last = i; - } - f.add(s.substring(last)); - return f; - } - if (ctx.winlog?.event_data?.FailureReason != null) { - def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - def desc = params.descriptions[code]; - if (desc == null) { - desc = code; - } - if (desc != null) { - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("reason", desc); - } - } - if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { - ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } else { - results.add(code); - } - } - if (results.length > 0) { - ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); - } - } - if (ctx.winlog?.event_data?.AccessList != null) { - ArrayList codes = new ArrayList(); - ArrayList results = new ArrayList(); - for (elem in split(ctx.winlog.event_data.AccessList)) { - def code = elem.replace("%%","").trim(); - if (code != "") { - codes.add(code); - } - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } else { - results.add(code); - } - } - if (codes.length > 0) { - ctx.winlog.event_data.AccessList = codes; - } - if (results.length > 0) { - ctx.winlog.event_data.put("AccessListDescription", results); - } - } - if (ctx.winlog?.event_data?.Direction != null) { - def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); - } - } - if (ctx.winlog?.event_data?.LayerName != null) { - def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); - } - } - if (ctx.winlog?.event_data?.AccessMask != null) { - ArrayList list = new ArrayList(); - long accessMask; - for (elem in split(ctx.winlog.event_data.AccessMask)) { - if (elem.length() == 0) { - continue; - } - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - list.add(params.descriptions[code]); - } else { - list.add(code); - if (params.reversed_descriptions.containsKey(code)) - code = params.reversed_descriptions[code][0]; - } - try { - def longCode = Long.decode(code).longValue(); - accessMask |= longCode; - } catch (Exception e) {} - } - if (list.length > 0) { - ctx.winlog.event_data.put("AccessMask", list); - } - - ArrayList desc = new ArrayList(); - def[] w = new def[] { null }; - for (long b = 0; b < 32; b++) { - long flag = 1L << b; - if ((accessMask & flag) == flag) { - w[0] = flag; - def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; - if (fDesc != null) { - desc.add(fDesc); - } - } - } - if (desc.length > 0) { - ctx.winlog.event_data.put("AccessMaskDescription", desc); - } - ArrayList results = new ArrayList(); - } - - script: - lang: painless - ignore_failure: false - tag: 4625 and 4776 Set Status and SubStatus - description: 4625 and 4776 Set Status and SubStatus - # Descriptions of failure status codes. - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - params: - "0xc000005e": "There are currently no logon servers available to service the logon request." - "0xc0000064": "User logon with misspelled or bad user account" - "0xc000006a": "User logon with misspelled or bad password" - "0xc000006d": "This is either due to a bad username or authentication information" - "0xc000006e": "Unknown user name or bad password." - "0xc000006f": "User logon outside authorized hours" - "0xc0000070": "User logon from unauthorized workstation" - "0xc0000071": "User logon with expired password" - "0xc0000072": "User logon to account disabled by administrator" - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." - "0xc0000133": "Clocks between DC and other computer too far out of sync" - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." - "0xc0000193": "User logon with expired account" - "0xc0000224": "User is required to change password at next logon" - "0xc0000225": "Evidently a bug in Windows and not a risk" - "0xc0000234": "User logon with account locked" - "0xc00002ee": "Failure Reason: An Error occurred during Logon" - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." - "0xc0000371": "The local account store does not contain secret material for the specified account" - "0x0": "Status OK." - source: |- - if (ctx.winlog?.event_data?.Status == null || - ctx.event?.code == null || - !["4625", "4776"].contains(ctx.event.code)) { - return; - } - if (params.containsKey(ctx.winlog.event_data.Status)) { - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); - } - if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { - return; - } - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Type - description: Set Trust Type - # Trust Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "1": "TRUST_TYPE_DOWNLEVEL" - "2": "TRUST_TYPE_UPLEVEL" - "3": "TRUST_TYPE_MIT" - "4": "TRUST_TYPE_DCE" - source: |- - if (ctx.winlog?.event_data?.TdoType == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoType)) { - return; - } - ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Direction - description: Set Trust Direction - # Trust Direction - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "TRUST_DIRECTION_DISABLED" - "1": "TRUST_DIRECTION_INBOUND" - "2": "TRUST_DIRECTION_OUTBOUND" - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - source: |- - if (ctx.winlog?.event_data?.TdoDirection == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { - return; - } - ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Attributes - description: Set Trust Attributes - # Trust Attributes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "UNDEFINED" - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - source: |- - if (ctx.winlog?.event_data?.TdoAttributes == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { - return; - } - ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); - - script: - lang: painless - ignore_failure: false - tag: Add Session Events - description: Add Session Events - source: |- - if (ctx.event?.code == null || - !["4778", "4779"].contains(ctx.event.code)) { - return; - } - //AccountName to user.name and related.user - if (ctx.winlog?.event_data?.AccountName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.AccountName); - if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { - ctx.related.user.add(ctx.winlog.event_data.AccountName); - } - } - - //AccountDomain to user.domain - if (ctx.winlog?.event_data?.AccountDomain != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); - } - - //ClientAddress to source.ip and related.ip - if (ctx.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-" && - ctx.winlog.event_data.ClientAddress != "Unknown") { - // Correct invalid IP address "LOCAL" - if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { - ctx.winlog.event_data.ClientAddress="127.0.0.1"; - } - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.ip == null) { - ArrayList al = new ArrayList(); - ctx.related.put("ip", al); - } - ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); - if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { - ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); - } - } - - //ClientName to source.domain - if (ctx.winlog?.event_data?.ClientName != null) { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.ClientName); - } - - //LogonID to winlog.logon.id - if (ctx.winlog?.event_data?.LogonID != null) { - if (ctx.winlog?.logon == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User - description: Copy Target User - source: |- - if (ctx.event?.code == null || - !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", - "4771", "4776", "4964"].contains(ctx.event.code)) { - return; - } - - def targetUserId = ctx.winlog?.event_data?.TargetUserSid; - if (targetUserId == null) { - targetUserId = ctx.winlog?.event_data?.TargetSid; - } - - //TargetUserSid to user.id or user.target.id - if (targetUserId != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.id == null) { - ctx.user.put("id", targetUserId); - } else { - if (ctx.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("id", targetUserId); - } - } - - //TargetUserName to related.user and user.name or user.target.name - if (ctx.winlog?.event_data?.TargetUserName != null) { - def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.name == null) { - ctx.user.put("name", tun[0]); - } else { - if (ctx.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("name", tun[0]); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(tun[0])) { - ctx.related.user.add(tun[0]); - } - } - //TargetUserDomain to user.domain or user.target.domain - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.domain == null) { - ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); - } else { - if (ctx.user?.target == null){ - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); - } - } -# split member name into parts based on comma ignoring escaped commas -# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names - - split: - if: ctx.winlog?.event_data?.MemberName != null - field: winlog.event_data.MemberName - target_field: _temp.MemberNameParts - separator: "(?= 4) { - def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); - ctx.user.target.put("domain", domain); - } - } - if (ctx.winlog?.event_data?.TargetUserSid != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); - } - if (ctx.winlog?.event_data?.TargetSid != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx.winlog?.event_data?.TargetUserName != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); - ctx.group.put("domain", domain); - } - if (ctx.user?.target != null) { - if (ctx.user?.target?.group == null) { - HashMap hm = new HashMap(); - ctx.user.target.put("group", hm); - } - if (ctx.group?.id != null) { - ctx.user.target.group.put("id", ctx.group.id); - } - if (ctx.group?.name != null) { - ctx.user.target.group.put("name", ctx.group.name); - } - if (ctx.group?.domain != null) { - ctx.user.target.group.put("domain", ctx.group.domain); - } - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Computer Object - description: Copy Target User to Computer Object - source: |- - if (ctx.event?.code == null || - !["4741", "4742", "4743"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.TargetSid != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx.winlog?.event_data?.TargetUserName != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.TargetLogonId - ignore_failure: false - if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from Event Data - description: Copy Subject User from Event Data - source: |- - if (ctx.event?.code == null || - !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", - "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", - "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", - "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", - "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", - "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", - "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", - "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", - "5381", "5382"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.SubjectUserSid != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); - } - if (ctx.winlog?.event_data?.SubjectUserName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); - } - } - if (ctx.winlog?.event_data?.SubjectDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Target - description: Copy Target User to Target - source: |- - if (ctx?.event?.code == null || - !["4670", "4720", "4722", "4723", "4724", "4725", - "4726", "4738", "4740", "4767", "4798", "4817", - "4907", "4797"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - def userId = ctx?.winlog?.event_data?.TargetSid; - if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.target.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.target.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.target.name)) { - ctx.related.user.add(ctx.user.target.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; - if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Effective - description: Copy Target User to Effective - source: |- - if (ctx?.event?.code == null || - !["4648", "4688"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.effective == null) { - HashMap hm = new HashMap(); - ctx.user.put("effective", hm); - } - def userId = ctx?.winlog?.event_data?.TargetUserSid; - if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.effective.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.effective.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.effective.name)) { - ctx.related.user.add(ctx.user.effective.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; - if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from user_data - description: Copy Subject User from user_data - source: |- - if (ctx.event?.code == null || - !["1102"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.user_data?.SubjectUserSid != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); - } - if (ctx.winlog?.user_data?.SubjectUserName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); - } - } - if (ctx.winlog?.user_data?.SubjectDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.SubjectLogonId - ignore_failure: true - - - set: - field: winlog.logon.id - copy_from: winlog.user_data.SubjectLogonId - ignore_failure: true - if: |- - ctx.event?.code != null && - ["1102"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Rename Common Auth Fields - description: Rename Common Auth Fields - source: |- - if (ctx.event?.code == null || - !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", - "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", - "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", - "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", - "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", - "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", - "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", - "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", - "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.ProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.ProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.ProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.ProcessId); - } - ctx.winlog.event_data.remove("ProcessId"); - } - if (ctx.winlog?.event_data?.ProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.ProcessName); - ctx.winlog.event_data.remove("ProcessName"); - } - if (ctx.winlog?.event_data?.IpAddress != null && - ctx.winlog.event_data.IpAddress != "-") { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("ip", ctx.winlog.event_data.IpAddress); - ctx.winlog.event_data.remove("IpAddress"); - } - if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); - ctx.winlog.event_data.remove("IpPort"); - } - if (ctx.winlog?.event_data?.WorkstationName != null) { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); - ctx.winlog.event_data.remove("WorkstationName"); - } - if (ctx.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-") { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); - ctx.winlog.event_data.remove("ClientAddress"); - } - if (ctx.process?.name == null && ctx.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - - - script: - lang: painless - ignore_failure: false - tag: Process Event 4688 - description: Process Event 4688 - source: |- - if (ctx.event?.code == null || - !["4688"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.NewProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.NewProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); - } - ctx.winlog.event_data.remove("NewProcessId"); - } - if (ctx.winlog?.event_data?.NewProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); - ctx.winlog.event_data.remove("NewProcessName"); - } - if (ctx.winlog?.event_data?.ParentProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.process?.parent == null) { - HashMap hm = new HashMap(); - ctx.process.put("parent", hm); - } - ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); - ctx.winlog.event_data.remove("ParentProcessName"); - } - if (ctx.process?.name == null && ctx.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { - def parts = ctx.process.parent.executable.splitOnToken("\\"); - ctx.process.parent.put("name", parts[-1]); - } - if (ctx.winlog?.event_data?.ProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.process?.parent == null) { - HashMap hm = new HashMap(); - ctx.process.put("parent", hm); - } - if (ctx.winlog.event_data.ProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.ProcessId); - ctx.process.parent.put("pid", pid.longValue()); - } else { - ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); - } - } - if (ctx.winlog?.event_data?.CommandLine != null) { - int start = 0; - int end = 0; - boolean in_quote = false; - ArrayList al = new ArrayList(); - for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { - end = i; - if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { - if (in_quote) { - in_quote = false; - } else { - in_quote = true; - } - } - if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); - start = i + 1; - } - if (i == ctx.winlog.event_data.CommandLine.length() - 1) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); - } - } - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("args", al); - ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); - } - if ((ctx.winlog?.event_data?.TargetUserName != null) && - (!ctx.winlog.event_data.TargetUserName.equals("-"))) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { - ctx.related.user.add(ctx.winlog.event_data.TargetUserName); - } - } - - - append: - field: related.user - value: '{{winlog.event_data.SubjectUserName}}' - allow_duplicates: false - if: |- - ctx.event?.code != null && - ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && - ctx.winlog?.event_data?.SubjectUserName != null && - ctx.winlog.event_data.SubjectUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.TargetUserName}}' - allow_duplicates: false - if: |- - ctx.event?.code != null && - ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", - "4740", "4767", "4797", "4798"].contains(ctx.event.code) && - ctx.winlog?.event_data?.TargetUserName != null && - ctx.winlog.event_data.TargetUserName != "-" - - - split: - field: winlog.event_data.PrivilegeList - separator: "\\s+" - if: |- - ctx.event?.code != null && - ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && - ctx.winlog?.event_data?.PrivilegeList != null - - - set: - field: user.target.name - copy_from: winlog.event_data.OldTargetUserName - ignore_empty_value: true - - - set: - field: user.changes.name - copy_from: winlog.event_data.NewTargetUserName - ignore_empty_value: true - - - append: - field: related.user - value: '{{winlog.event_data.NewTargetUserName}}' - allow_duplicates: false - if: |- - ctx.winlog?.event_data?.NewTargetUserName != null && - ctx.winlog.event_data.NewTargetUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.OldTargetUserName}}' - allow_duplicates: false - if: |- - ctx.winlog?.event_data?.OldTargetUserName != null && - ctx.winlog.event_data.OldTargetUserName != "-" - + - pipeline: + name: '{< IngestPipeline "security_standard" >}' + if: 'ctx.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' - gsub: field: source.ip pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' replacement: '$1' ignore_missing: true - + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - append: field: related.ip value: '{{source.ip}}' @@ -3802,424 +43,23 @@ processors: if: |- ctx.source?.ip != null && ctx.source.ip != "-" - - - script: - lang: painless - ignore_failure: false - tag: Object Policy Change and SidListDesc - description: Object Policy Change and SidListDesc - # SDDL Ace Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # SDDL Permissions - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # Known SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - # Domain-specific SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - # Object Permission Flags - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - AccountSIDDescription: - AO: Account operators - RU: Alias to allow previous Windows 2000 - AN: Anonymous logon - AU: Authenticated users - BA: Built-in administrators - BG: Built-in guests - BO: Backup operators - BU: Built-in users - CA: Certificate server administrators - CG: Creator group - CO: Creator owner - DA: Domain administrators - DC: Domain computers - DD: Domain controllers - DG: Domain guests - DU: Domain users - EA: Enterprise administrators - ED: Enterprise domain controllers - WD: Everyone - PA: Group Policy administrators - IU: Interactively logged-on user - LA: Local administrator - LG: Local guest - LS: Local service account - SY: Local system - NU: Network logon user - NO: Network configuration operators - NS: Network service account - PO: Printer operators - PS: Personal self - PU: Power users - RS: RAS servers group - RD: Terminal server users - RE: Replicator - RC: Restricted code - SA: Schema administrators - SO: Server operators - SU: Service logon user - S-1-0: Null Authority - S-1-0-0: Nobody - S-1-1: World Authority - S-1-1-0: Everyone - S-1-16-0: Untrusted Mandatory Level - S-1-16-12288: High Mandatory Level - S-1-16-16384: System Mandatory Level - S-1-16-20480: Protected Process Mandatory Level - S-1-16-28672: Secure Process Mandatory Level - S-1-16-4096: Low Mandatory Level - S-1-16-8192: Medium Mandatory Level - S-1-16-8448: Medium Plus Mandatory Level - S-1-2: Local Authority - S-1-2-0: Local - S-1-2-1: Console Logon - S-1-3: Creator Authority - S-1-3-0: Creator Owner - S-1-3-1: Creator Group - S-1-3-2: Creator Owner Server - S-1-3-3: Creator Group Server - S-1-3-4: Owner Rights - S-1-4: Non-unique Authority - S-1-5: NT Authority - S-1-5-1: Dialup - S-1-5-10: Principal Self - S-1-5-11: Authenticated Users - S-1-5-12: Restricted Code - S-1-5-13: Terminal Server Users - S-1-5-14: Remote Interactive Logon - S-1-5-15: This Organization - S-1-5-17: This Organization - S-1-5-18: Local System - S-1-5-19: NT Authority - S-1-5-2: Network - S-1-5-20: NT Authority - S-1-5-3: Batch - S-1-5-32-544: Administrators - S-1-5-32-545: Users - S-1-5-32-546: Guests - S-1-5-32-547: Power Users - S-1-5-32-548: Account Operators - S-1-5-32-549: Server Operators - S-1-5-32-550: Print Operators - S-1-5-32-551: Backup Operators - S-1-5-32-552: Replicators - S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access - S-1-5-32-555: Builtin\Remote Desktop Users - S-1-5-32-556: Builtin\Network Configuration Operators - S-1-5-32-557: Builtin\Incoming Forest Trust Builders - S-1-5-32-558: Builtin\Performance Monitor Users - S-1-5-32-559: Builtin\Performance Log Users - S-1-5-32-560: Builtin\Windows Authorization Access Group - S-1-5-32-561: Builtin\Terminal Server License Servers - S-1-5-32-562: Builtin\Distributed COM Users - S-1-5-32-569: Builtin\Cryptographic Operators - S-1-5-32-573: Builtin\Event Log Readers - S-1-5-32-574: Builtin\Certificate Service DCOM Access - S-1-5-32-575: Builtin\RDS Remote Access Servers - S-1-5-32-576: Builtin\RDS Endpoint Servers - S-1-5-32-577: Builtin\RDS Management Servers - S-1-5-32-578: Builtin\Hyper-V Administrators - S-1-5-32-579: Builtin\Access Control Assistance Operators - S-1-5-32-580: Builtin\Remote Management Users - S-1-5-32-582: Storage Replica Administrators - S-1-5-4: Interactive - S-1-5-5-X-Y: Logon Session - S-1-5-6: Service - S-1-5-64-10: NTLM Authentication - S-1-5-64-14: SChannel Authentication - S-1-5-64-21: Digest Authentication - S-1-5-7: Anonymous - S-1-5-8: Proxy - S-1-5-80: NT Service - S-1-5-80-0: All Services - S-1-5-83-0: NT Virtual Machine\Virtual Machines - S-1-5-9: Enterprise Domain Controllers - S-1-5-90-0: Windows Manager\Windows Manager Group - AceTypes: - A: Access Allowed - D: Access Denied - OA: Object Access Allowed - OD: Object Access Denied - AU: System Audit - AL: System Alarm - OU: System Object Audit - OL: System Object Alarm - ML: System Mandatory Label - SP: Central Policy ID - DomainSpecificSID: - "498": Enterprise Read-only Domain Controllers - "500": Administrator - "501": Guest - "502": KRBTGT - "512": Domain Admins - "513": Domain Users - "514": Domain Guests - "515": Domain Computers - "516": Domain Controllers - "517": Cert Publishers - "518": Schema Admins - "519": Enterprise Admins - "520": Group Policy Creator Owners - "521": Read-only Domain Controllers - "522": Cloneable Domain Controllers - "526": Key Admins - "527": Enterprise Key Admins - "553": RAS and IAS Servers - "571": Allowed RODC Password Replication Group - "572": Denied RODC Password Replication Group - PermissionDescription: - GA: Generic All - GR: Generic Read - GW: Generic Write - GX: Generic Execute - RC: Read Permissions - SD: Delete - WD: Modify Permissions - WO: Modify Owner - RP: Read All Properties - WP: Write All Properties - CC: Create All Child Objects - DC: Delete All Child Objects - LC: List Contents - SW: All Validated - LO: List Object - DT: Delete Subtree - CR: All Extended Rights - FA: File All Access - FR: File Generic Read - FX: FILE GENERIC EXECUTE - FW: FILE GENERIC WRITE - KA: KEY ALL ACCESS - KR: KEY READ - KW: KEY WRITE - KX: KEY EXECUTE - PermsFlags: - "0x80000000": 'Generic Read' - "0x4000000": 'Generic Write' - "0x20000000": 'Generic Execute' - "0x10000000": 'Generic All' - "0x02000000": 'Maximum Allowed' - "0x01000000": 'Access System Security' - "0x00100000": 'Syncronize' - "0x00080000": 'Write Owner' - "0x00040000": 'Write DACL' - "0x00020000": 'Read Control' - "0x00010000": 'Delete' - source: |- - ArrayList translatePermissionMask(def mask, def params) { - ArrayList al = new ArrayList(); - Long permCode = Long.decode(mask); - for (entry in params.PermsFlags.entrySet()) { - Long permFlag = Long.decode(entry.getKey()); - if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { - al.add(entry.getValue()); - } - } - if (al.length == 0) { - al.add(mask); - } - return al; - } - - HashMap translateACL(def dacl, def params) { - def aceArray = dacl.splitOnToken(";"); - HashMap hm = new HashMap(); - - if (aceArray.length >= 6 ) { - hm.put("grantee", translateSID(aceArray[5], params)); - } - - if (aceArray.length >= 1) { - hm.put("type", params.AceTypes[aceArray[0]]); - } - - if (aceArray.length >= 3) { - if (aceArray[2].startsWith("0x")) { - hm.put("perms", translatePermissionMask(aceArray[2], params)); - } else { - ArrayList al = new ArrayList(); - Pattern permPattern = /.{1,2}/; - Matcher permMatcher = permPattern.matcher(aceArray[2]); - while (permMatcher.find()) { - al.add(params.PermissionDescription[permMatcher.group(0)]); - } - hm.put("perms", al); - } - } - return hm; - } - String translateSID(def sid, def params) { - if (!params.AccountSIDDescription.containsKey(sid)) { - if (sid.startsWith("S-1-5-21")) { - Pattern uidPattern = /[0-9]{1,5}$/; - Matcher uidMatcher = uidPattern.matcher(sid); - if (uidMatcher.find()) { - return params.DomainSpecificSID[uidMatcher.group(0)]; - } - return sid; - } - return sid; - } - return params.AccountSIDDescription[sid]; - } - - void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { - Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; - Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); - if (sdOwnerMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); - } - - Pattern sdGroupPattern = /^G\:[A-Z]{2}/; - Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); - if (sdGroupMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); - } - - Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; - Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); - if (sdDaclMatcher.find()) { - Pattern dacListPattern = /\([^*\)]*\)/; - Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); - for (def i = 0; dacListMatcher.find(); i++) { - def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newDacl['grantee'])) { - ctx.related.user.add(newDacl['grantee']); - } - } - } - } - - Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; - Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); - if (sdSaclMatcher.find()) { - Pattern sacListPattern = /\([^*\)]*\)/; - Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); - for (def i = 0; sacListMatcher.find(); i++) { - def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newSacl['grantee'])) { - ctx.related.user.add(newSacl['grantee']); - } - } - } - } - } - - void splitSidList(def sids, def params, def ctx) { - ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); - ctx.winlog.event_data.put("SidList", sidList); - for (def i = 0; i < sidList.length; i++ ) { - al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); - } - ctx.winlog.event_data.put("SidListDesc", al); - } - - if (ctx.event?.code == null || - !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.OldSd != null) { - enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); - } - if (ctx.winlog?.event_data?.NewSd != null) { - enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); - } - if (ctx.winlog?.event_data?.SidList != null) { - splitSidList(ctx.winlog.event_data.SidList, params, ctx); - } - - - set: - field: file.name - copy_from: winlog.event_data.RelativeTargetName - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.RelativeTargetName != null && - ctx.winlog.event_data.RelativeTargetName != "" - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.path - value: "{{file.directory}}\\{{file.name}}" - if: ctx.file?.name != null && ctx.file?.directory != null - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.target_path - value: "{{winlog.event_data.ShareName}}\\{{file.name}}" - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareName != null && - ctx.winlog.event_data.ShareName != "" && - ctx.file?.name != null - - script: - description: Adds file information. - lang: painless - if: ctx.file?.name != null - source: |- - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - convert: field: winlog.record_id type: string ignore_missing: true - - convert: field: winlog.event_id type: string ignore_missing: true - - set: field: ecs.version - value: '8.0.0' - + value: '8.17.0' - set: field: log.level copy_from: winlog.level ignore_empty_value: true ignore_failure: true if: ctx.winlog?.level != "" - - date: field: winlog.time_created tag: "time_created_date" @@ -4235,17 +75,14 @@ processors: value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - fail: message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - - #Cleanup _temp fields as it is not needed anymore - - remove: - field: _temp + - convert: + field: error.code + type: string ignore_missing: true - ignore_failure: true - on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/winlogbeat/module/security/ingest/security_standard.yml b/x-pack/winlogbeat/module/security/ingest/security_standard.yml new file mode 100644 index 000000000000..68e74d61f1e1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/ingest/security_standard.yml @@ -0,0 +1,4248 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4662": + category: + - iam + - configuration + type: + - admin + - change + action: object-operation-performed + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4797": + category: + - iam + type: + - user + - info + action: query-existence-of-blank-password + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + "5136": + category: + - iam + - configuration + type: + - admin + - change + action: directory-service-object-modified + "5140": + category: + - network + - file + type: + - info + - access + action: network-share-object-accessed + "5145": + category: + - network + - file + type: + - info + - access + action: network-share-object-access-checked + "5379": + category: + - iam + type: + - user + - info + action: credential-manager-credentials-were-read + "5380": + category: + - iam + type: + - user + - info + action: vault-credential-find + "5381": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5382": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + source: |- + if (ctx.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + params.get(ctx.event.code).forEach((k, v) -> { + if (v instanceof List) { + ctx.event[k] = new ArrayList(v); + } else { + ctx.event[k] = v; + } + }); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + # Logon Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 + params: + "0x00000001": USER_ACCOUNT_DISABLED + "0x00000002": USER_HOME_DIRECTORY_REQUIRED + "0x00000004": USER_PASSWORD_NOT_REQUIRED + "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT + "0x00000010": USER_NORMAL_ACCOUNT + "0x00000020": USER_MNS_LOGON_ACCOUNT + "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT + "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT + "0x00000100": USER_SERVER_TRUST_ACCOUNT + "0x00000200": USER_DONT_EXPIRE_PASSWORD + "0x00000400": USER_ACCOUNT_AUTO_LOCKED + "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED + "0x00001000": USER_SMARTCARD_REQUIRED + "0x00002000": USER_TRUSTED_FOR_DELEGATION + "0x00004000": USER_NOT_DELEGATED + "0x00008000": USER_USE_DES_KEY_ONLY + "0x00010000": USER_DONT_REQUIRE_PREAUTH + "0x00020000": USER_PASSWORD_EXPIRED + "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION + "0x00080000": USER_NO_AUTH_DATA_REQUIRED + "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT + "0x00200000": USER_USE_AES_KEYS + source: |- + if (ctx.winlog?.event_data == null) { + return; + } + if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + # Kerberos TGT and TGS Ticket Options + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx.winlog?.event_data?.ServiceName != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx.winlog.event_data?.ServiceType != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + reversed_descriptions: + "..." : ["1831"] + "3DES" : ["8196","16399"] + "64-bit Integer" : ["1820"] + "" : ["14672"] + "" : ["1800"] + "" : ["1794"] + "" : ["1793"] + "ACCESS_SYS_SEC" : ["1542"] + "AES-128" : ["16400","8235"] + "AES-192" : ["8236","16401"] + "AES-256" : ["16402","8237"] + "AES-GCM 128" : ["16395"] + "AES-GCM 192" : ["16396"] + "AES-GCM 256" : ["16397"] + "AES-GMAC 128" : ["16407"] + "AES-GMAC 192" : ["16408"] + "AES-GMAC 256" : ["16409"] + "Access Clipboard" : ["6658"] + "Access global atoms" : ["6661"] + "Account Disabled" : ["2080"] + "Account Enabled" : ["2048"] + "Account Locked" : ["2090"] + "Account Lockout" : ["12546"] + "Account Logon" : ["8280"] + "Account Management" : ["8278"] + "Account Unlocked" : ["2058"] + "Account currently disabled." : ["2310"] + "Account locked out." : ["2307"] + "Account logon time restriction violation." : ["2311"] + "Active Directory Domain Services" : ["14676"] + "Active Directory Lightweight Directory Services" : ["14677"] + "Add" : ["16384"] + "Add context." : ["2491"] + "Add function property." : ["2497"] + "Add function provider." : ["2495"] + "Add function." : ["2493"] + "Add provider." : ["2489"] + "AddMember" : ["5410","5424"] + "AdjustDefaultDacl" : ["4599"] + "AdjustGroups" : ["4598"] + "AdjustPrivileges" : ["4597"] + "AdjustSessionID" : ["4600"] + "Administer Document" : ["6948"] + "Administer audit log attributes" : ["5641"] + "Administer print server" : ["6912"] + "AdministerServer" : ["5402"] + "All" : ["1797"] + "An Error occured during Logon." : ["2304"] + "Anonymous" : ["8224"] + "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] + "Application Generated" : ["12806"] + "Application Group Management" : ["13828"] + "Assign Primary Token Privilege" : ["1603"] + "Assign a token to the thread" : ["4567"] + "Assign process" : ["5136"] + "AssignAsPrimary" : ["4592"] + "Audit Enumerate Users" : ["7940"] + "Audit Policy Change" : ["13568"] + "Audit Policy query/set API Operation" : ["1799"] + "Audit Query Options" : ["7942"] + "Audit Query Per User Policy" : ["7939"] + "Audit Query System Policy" : ["7937"] + "Audit Set Options" : ["7941"] + "Audit Set Per User Policy" : ["7938"] + "Audit Set System Policy" : ["7936"] + "AuthIP" : ["8223"] + "AuthNoEncap Transport" : ["16416"] + "Authentication Policy Change" : ["13569"] + "Authentication payload sent" : ["8246"] + "Authorization Policy Change" : ["13570"] + "Auto" : ["1849"] + "Backup Privilege" : ["1617"] + "Bidirectional" : ["14595"] + "Bind Redirect" : ["14617"] + "Blob" : ["1822"] + "Block" : ["16389"] + "Boolean" : ["1824"] + "Boot-time" : ["16386"] + "CGA" : ["8226"] + "Callout" : ["16391"] + "Cause thread to directly impersonate another thread" : ["4568"] + "Central Policy Staging" : ["12813"] + "Certificate" : ["8227"] + "Certificate ECDSA P256" : ["8238"] + "Certificate ECDSA P384" : ["8239"] + "Certification Services" : ["12805"] + "Change Hardware Environment Privilege" : ["1622"] + "Change Notify (and Traverse) Privilege" : ["1623"] + "Change logon capabilities assigned to account" : ["5683"] + "Change privileges assigned to account" : ["5681"] + "Change quotas assigned to account" : ["5682"] + "Change secret value" : ["5648"] + "Change system audit requirements" : ["5640"] + "Change the Posix ID offset assigned to the accounted domain" : ["5684"] + "Change the Posix ID offset assigned to the trusted domain" : ["5668"] + "Change the controllers in the trusted domain" : ["5666"] + "ChangeGroupMembership" : ["5450"] + "ChangePassword (with knowledge of old password)" : ["5446"] + "Channel query information" : ["5122"] + "Channel read message" : ["5120"] + "Channel set information" : ["5123"] + "Channel write message" : ["5121"] + "Communicate using port" : ["4464"] + "Complete" : ["8210"] + "Computer Account Management" : ["13825"] + "Connect" : ["14611"] + "Connect Redirect" : ["14616"] + "Connect to service controller" : ["7168"] + "ConnectToServer" : ["5376"] + "Control Access" : ["7688"] + "Control profile" : ["4496"] + "Create Child" : ["7680"] + "Create Key." : ["2481"] + "Create Link" : ["4437"] + "Create Pagefile Privilege" : ["1615"] + "Create Permanent Object Privilege" : ["1616"] + "Create a new service" : ["7169"] + "Create a privilege" : ["5638"] + "Create a secret object" : ["5637"] + "Create a subprocess of process" : ["4487"] + "Create desktop" : ["6659"] + "Create instance of object type" : ["4608"] + "Create menu" : ["6674"] + "Create new thread in process" : ["4481"] + "Create object in directory" : ["4370"] + "Create special accounts (for assignment of user rights)" : ["5636"] + "Create sub-directory" : ["4371"] + "Create sub-key" : ["4434"] + "Create window" : ["6673"] + "CreateDomain" : ["5379"] + "CreateGlobalGroup" : ["5397"] + "CreateLocalGroup" : ["5398"] + "CreateUser" : ["5396"] + "Credential Validation" : ["14336"] + "Credentials manager" : ["8097"] + "DDE Share Add Items" : ["7432"] + "DDE Share Advise" : ["7429"] + "DDE Share Execute" : ["7431"] + "DDE Share Initiate Link" : ["7427"] + "DDE Share Initiate Static" : ["7426"] + "DDE Share List Items" : ["7433"] + "DDE Share Poke" : ["7430"] + "DDE Share Read" : ["7424"] + "DDE Share Request" : ["7428"] + "DDE Share Write" : ["7425"] + "DELETE" : ["1537"] + "DES" : ["16398","8195"] + "DH group 1" : ["8230"] + "DH group 14" : ["8232"] + "DH group 2" : ["8231"] + "DH group 24" : ["8248"] + "DH group ECP 256" : ["8233"] + "DH group ECP 384" : ["8234"] + "DPAPI Activity" : ["13314"] + "DS Access" : ["8279"] + "Datagram Data" : ["14600"] + "Debug Privilege" : ["1620"] + "Decrypt." : ["2484"] + "Default" : ["1846"] + "Default credentials" : ["8096"] + "Delegation" : ["1840"] + "Delete" : ["16385"] + "Delete Child" : ["7681"] + "Delete Key." : ["2482"] + "Delete Tree" : ["7686"] + "Delete key file." : ["2457"] + "DeleteChild" : ["4422"] + "Denied by" : ["1802"] + "Denied by ACE on parent folder" : ["1812"] + "Denied by Empty DACL" : ["1807"] + "Denied by Integrity Policy check" : ["1803"] + "Denied by Process Trust Label ACE" : ["1841"] + "Detailed Directory Service Replication" : ["14083"] + "Detailed File Share" : ["12811"] + "Detailed Tracking" : ["8276"] + "Device Access Bit 0" : ["4352"] + "Device Access Bit 1" : ["4353"] + "Device Access Bit 2" : ["4354"] + "Device Access Bit 3" : ["4355"] + "Device Access Bit 4" : ["4356"] + "Device Access Bit 5" : ["4357"] + "Device Access Bit 6" : ["4358"] + "Device Access Bit 7" : ["4359"] + "Device Access Bit 8" : ["4360"] + "Directly impersonate this thread" : ["4569"] + "Directory Service Access" : ["14080"] + "Directory Service Changes" : ["14081"] + "Directory Service Replication" : ["14082"] + "Disabled" : ["1796"] + "DisallowMmConfig" : ["1847"] + "Distribution Group Management" : ["13827"] + "Domain settings" : ["2487"] + "Domain sid inconsistent." : ["2314"] + "Don't Expire Password' - Disabled" : ["2057"] + "Don't Expire Password' - Enabled" : ["2089"] + "Don't Require Preauth' - Disabled" : ["2064"] + "Don't Require Preauth' - Enabled" : ["2096"] + "Duplicate" : ["4593"] + "Duplicate handle into or out of process" : ["4486"] + "EAP" : ["8247"] + "EAP payload sent" : ["8245"] + "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] + "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] + "Enable WMI Account" : ["16896"] + "Enable/Disable LSA" : ["5642"] + "Enabled" : ["1795","8216"] + "Encrypt." : ["2483"] + "Encrypted Text Password Allowed' - Disabled" : ["2059"] + "Encrypted Text Password Allowed' - Enabled" : ["2091"] + "Endpoint Closure" : ["14615"] + "Enumerate dependencies of service" : ["7187"] + "Enumerate desktops" : ["6656"] + "Enumerate printers" : ["6913"] + "Enumerate services" : ["7170"] + "Enumerate sub-keys" : ["4435"] + "EnumerateDomains" : ["5380"] + "Exclude Authorization Information' - Disabled" : ["2067"] + "Exclude Authorization Information' - Enabled" : ["2099"] + "Execute Method" : ["16897"] + "Execute/Traverse" : ["4421"] + "Existing registry value modified" : ["1905"] + "Exit windows" : ["6662"] + "Export of persistent cryptographic key." : ["2464"] + "Extend size" : ["4516"] + "FALSE" : ["1826"] + "FQBN" : ["1821"] + "Failed to unprotect persistent cryptographic key." : ["2448"] + "Failed to zero secret data." : ["2438"] + "Failure Added" : ["8451"] + "Failure exclude added" : ["8459"] + "Failure exclude removed" : ["8458"] + "Failure include added" : ["8457"] + "Failure include removed" : ["8456"] + "Failure removed" : ["8450"] + "File Share" : ["12808"] + "File System" : ["12800"] + "Filtering Platform Connection" : ["12810"] + "Filtering Platform Packet Drop" : ["12809"] + "Filtering Platform Policy Change" : ["13572"] + "Flow Established" : ["14612"] + "Force process termination" : ["4480"] + "Force thread termination" : ["4560"] + "Forward" : ["14598","14594"] + "Fresh credentials" : ["8098"] + "Friday" : ["1925"] + "Full Control" : ["6930"] + "Full Write" : ["16898"] + "Get sensitive policy information" : ["5634"] + "Get thread context" : ["4563"] + "GetLocalGroupMembership" : ["5399"] + "Granted by" : ["1801"] + "Granted by ACE on parent folder" : ["1811"] + "Granted by Central Access Rule" : ["1813"] + "Granted by NULL DACL" : ["1806"] + "Granted by NULL Security Descriptor" : ["1808"] + "Granted by Ownership" : ["1804"] + "Granted by parent folder's Central Access Rule" : ["1815"] + "Group Membership" : ["12554"] + "Handle Manipulation" : ["12807"] + "Home Directory Required' - Disabled" : ["2049"] + "Home Directory Required' - Enabled" : ["2081"] + "Hook control" : ["6675"] + "ICMP Echo-Request" : ["14640"] + "ICMP Error" : ["14601"] + "IKE/AuthIP DoS prevention mode started" : ["8214"] + "IKE/AuthIP DoS prevention mode stopped" : ["8215"] + "IKEv1" : ["8222"] + "IKEv2" : ["8244"] + "IP Packet" : ["14596"] + "IPsec Driver" : ["12291"] + "IPsec Extended Mode" : ["12550"] + "IPsec Main Mode" : ["12547"] + "IPsec Quick Mode" : ["12549"] + "Identification" : ["1832"] + "Impersonate" : ["4594"] + "Impersonation" : ["1833"] + "Import of persistent cryptographic key." : ["2465"] + "Inbound" : ["14592"] + "Include this desktop in enumerations" : ["6678"] + "Include this windowstation in enumerations" : ["6664"] + "Increase Memory Quota Privilege" : ["1605"] + "Increment Base Priority Privilege" : ["1614"] + "InitializeServer" : ["5378"] + "Initiator" : ["8205","16406"] + "Interdomain Trust Account' - Disabled" : ["2054"] + "Interdomain Trust Account' - Enabled" : ["2086"] + "Invalid" : ["1827"] + "Issue service-specific control commands" : ["7192"] + "Journal (playback)" : ["6677"] + "Journal (record)" : ["6676"] + "Kerberos" : ["8192"] + "Kerberos Authentication Service" : ["14339"] + "Kerberos Service Ticket Operations" : ["14337"] + "Kernel Object" : ["12802"] + "Key Derivation." : ["2501"] + "Key export checks failed." : ["2449"] + "Key failed pair wise consistency check." : ["2439"] + "KeyedEvent Wait" : ["5696"] + "KeyedEvent Wake" : ["5697"] + "List Contents" : ["7682"] + "List Object" : ["7687"] + "ListAccounts" : ["5400"] + "ListGroups" : ["5448"] + "ListMembers" : ["5412","5426"] + "Listen" : ["14609"] + "Load/Unload Driver Privilege" : ["1610"] + "Local computer" : ["8199"] + "Local settings" : ["2488"] + "Lock Memory Privilege" : ["1604"] + "Lock service database for exclusive access" : ["7171"] + "Logoff" : ["12545"] + "Logon" : ["12544"] + "Logon/Logoff" : ["8273"] + "Lookup Names/SIDs" : ["5643"] + "LookupDomain" : ["5381"] + "LookupIDs" : ["5401"] + "MAC 802.3" : ["14602"] + "MAC Native" : ["14603"] + "MAX_ALLOWED" : ["1543"] + "MD5" : ["16392","8197"] + "MNS Logon Account' - Disabled" : ["2053"] + "MNS Logon Account' - Enabled" : ["2085"] + "MPSSVC Rule-Level Policy Change" : ["13571"] + "Machine key." : ["2499"] + "Map section for execute" : ["4515"] + "Map section for read" : ["4514"] + "Map section for write" : ["4513"] + "Modify State" : ["4865"] + "Modify domain trust relationships" : ["5635"] + "Modify event state" : ["4385"] + "Modify semaphore state" : ["4529"] + "Modify timer state" : ["4577"] + "Monday" : ["1921"] + "NOT Granted by Central Access Rule" : ["1814"] + "NOT Granted by parent folder's Central Access Rule" : ["1816"] + "NTLM V2" : ["8225"] + "Network Policy Server" : ["12552"] + "New registry value created" : ["1904"] + "No" : ["14679","1843"] + "No state" : ["8207","8218","8201"] + "Non Sensitive Privilege Use" : ["13057"] + "None" : ["1798","8229"] + "Normal Account' - Disabled" : ["2052"] + "Normal Account' - Enabled" : ["2084"] + "Not Available" : ["1845"] + "Not Available." : ["2432"] + "Not Delegated' - Disabled" : ["2062"] + "Not Delegated' - Enabled" : ["2094"] + "Not enabled" : ["8217"] + "Not granted" : ["1805"] + "Not granted due to missing" : ["1810"] + "Not granted to AppContainers" : ["1830"] + "Not persistent" : ["16388"] + "Not used" : ["1601"] + "Notify about changes to keys" : ["4436"] + "Object Access" : ["8274"] + "Off" : ["1848"] + "Open Key." : ["2480"] + "Open key file." : ["2456"] + "Other Account Logon Events" : ["14338"] + "Other Account Management Events" : ["13829"] + "Other Logon/Logoff Events" : ["12551"] + "Other Object Access Events" : ["12804"] + "Other Policy Change Events" : ["13573"] + "Other Privilege Use Events" : ["13058"] + "Other System Events" : ["12292"] + "Outbound" : ["14593"] + "Partial Write" : ["16899"] + "Password Expired' - Disabled" : ["2065"] + "Password Expired' - Enabled" : ["2097"] + "Password Not Required' - Disabled" : ["2050"] + "Password Not Required' - Enabled" : ["2082"] + "Pause or continue the service" : ["7190"] + "Perform virtual memory operation" : ["4483"] + "Permit" : ["16390"] + "Persistent" : ["16387"] + "Plug and Play Events" : ["13316"] + "Policy Change" : ["8277"] + "Port sharing (read)" : ["8064"] + "Port sharing (write)" : ["8065"] + "Preshared key" : ["8193"] + "Print" : ["6931"] + "Privilege Use" : ["8275"] + "Process Creation" : ["13312"] + "Process Termination" : ["13313"] + "Profile Single Process Privilege" : ["1613"] + "Profile System Privilege" : ["1611"] + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] + "Provider Write" : ["16900"] + "Publish" : ["16903"] + "Query" : ["4595"] + "Query Attributes" : ["5138"] + "Query State" : ["4864"] + "Query account information" : ["5680"] + "Query directory" : ["4368"] + "Query event state" : ["4384"] + "Query information from service" : ["7191"] + "Query key value" : ["4432"] + "Query mutant state" : ["4448"] + "Query process information" : ["4490"] + "Query secret value" : ["5649"] + "Query section state" : ["4512"] + "Query semaphore state" : ["4528"] + "Query service configuration information" : ["7184"] + "Query service database lock state" : ["7172"] + "Query status of service" : ["7186"] + "Query the Posix ID offset assigned to the trusted domain" : ["5667"] + "Query thread information" : ["4566"] + "Query timer state" : ["4576"] + "Query trusted domain name/SID" : ["5664"] + "QuerySource" : ["4596"] + "READ_CONTROL" : ["1538"] + "REG_BINARY" : ["1875"] + "REG_DWORD" : ["1876"] + "REG_DWORD_BIG_ENDIAN" : ["1877"] + "REG_EXPAND_SZ" : ["1874"] + "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] + "REG_LINK" : ["1878"] + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] + "REG_NONE" : ["1872"] + "REG_QWORD" : ["1883"] + "REG_RESOURCE_LIST" : ["1880"] + "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] + "REG_SZ" : ["1873"] + "RPC Events" : ["13315"] + "Random number generation failed FIPS-140 pre-hash check." : ["2437"] + "Random number generator failure." : ["2436"] + "Read Objects" : ["6672"] + "Read Property" : ["7684"] + "Read attributes" : ["6657"] + "Read from process memory" : ["4484"] + "Read persisted key from file." : ["2458"] + "Read screen" : ["6665"] + "ReadAccount" : ["5444"] + "ReadAttributes" : ["4423"] + "ReadData (or ListDirectory)" : ["4416"] + "ReadEA" : ["4419"] + "ReadGeneralInformation" : ["5440"] + "ReadGroupMembership" : ["5449"] + "ReadInformation" : ["5427","5408"] + "ReadLogon" : ["5443"] + "ReadOtherParameters" : ["5394"] + "ReadPasswordParameters" : ["5392"] + "ReadPreferences" : ["5441"] + "Receive/Accept" : ["14610"] + "Registry" : ["12801"] + "Registry value deleted" : ["1906"] + "Remote Access" : ["16901"] + "Remote computer" : ["8200"] + "Remotely Shut System Down Privilege" : ["1624"] + "Removable Storage" : ["12812"] + "Remove context." : ["2492"] + "Remove function property." : ["2498"] + "Remove function provider." : ["2496"] + "Remove function." : ["2494"] + "Remove provider." : ["2490"] + "RemoveMember" : ["5425","5411"] + "Resource Assignment" : ["14608"] + "Resource Release" : ["14614"] + "Responder" : ["16405","8206"] + "Restore From Backup Privilege" : ["1618"] + "Retrieve the controllers in the trusted domain" : ["5665"] + "SAM" : ["12803"] + "SHA 256" : ["8242"] + "SHA 384" : ["8243"] + "SHA-1" : ["16393"] + "SHA-256" : ["16394"] + "SHA1" : ["8198"] + "SSL" : ["8228"] + "SSL ECDSA P256" : ["8240"] + "SSL ECDSA P384" : ["8241"] + "SYNCHRONIZE" : ["1541"] + "Saturday" : ["1926"] + "Secret agreement." : ["2486"] + "Security Group Management" : ["13826"] + "Security Privilege" : ["1608"] + "Security State Change" : ["12288"] + "Security System Extension" : ["12289"] + "Send an alert to thread" : ["4562"] + "Sensitive Privilege Use" : ["13056"] + "Sent final payload" : ["8209"] + "Sent first (EM attributes) payload" : ["8219"] + "Sent first (SA) payload" : ["8208","8202"] + "Sent second (KE) payload" : ["8203"] + "Sent second (SSPI) payload" : ["8220"] + "Sent third (ID) payload" : ["8204"] + "Sent third (hash) payload" : ["8221"] + "Server Trust Account' - Disabled" : ["2056"] + "Server Trust Account' - Enabled" : ["2088"] + "Set Attributes" : ["5137"] + "Set Security Attributes" : ["5140"] + "Set System Time Privilege" : ["1612"] + "Set default quota limits" : ["5639"] + "Set key value" : ["4433"] + "Set last-known-good state of service database" : ["7173"] + "Set process information" : ["4489"] + "Set process quotas" : ["4488"] + "Set process session ID" : ["4482"] + "Set process termination port" : ["4491"] + "Set service configuration information" : ["7185"] + "Set thread context" : ["4564"] + "Set thread information" : ["4565"] + "SetPassword (without knowledge of old password)" : ["5447"] + "Shutdown System Privilege" : ["1619"] + "ShutdownServer" : ["5377"] + "Sid" : ["1823"] + "Sign hash." : ["2485"] + "Signature verification failed." : ["2451"] + "Smartcard Required' - Disabled" : ["2060"] + "Smartcard Required' - Enabled" : ["2092"] + "Smartcard logon is required and was not used." : ["2315"] + "Special Logon" : ["12548"] + "Start the service" : ["7188"] + "Stop the service" : ["7189"] + "Stream" : ["14599"] + "Stream Packet" : ["14624"] + "String" : ["1818"] + "Subscribe" : ["16902"] + "Success Added" : ["8449"] + "Success exclude added" : ["8455"] + "Success exclude removed" : ["8454"] + "Success include added" : ["8453"] + "Success include removed" : ["8452"] + "Success removed" : ["8448"] + "Sunday" : ["1920"] + "Suspend or resume thread" : ["4561"] + "Switch to this desktop" : ["6680"] + "System" : ["1844","8272"] + "System Integrity" : ["12290"] + "TRUE" : ["1825"] + "Take Ownership Privilege" : ["1609"] + "Temp Duplicate Account' - Disabled" : ["2051"] + "Temp Duplicate Account' - Enabled" : ["2083"] + "Terminate Job" : ["5139"] + "The NetLogon component is not active." : ["2306"] + "The specified account's password has expired." : ["2309"] + "The specified user account has expired." : ["2305"] + "The user has not been granted the requested logon type at this machine." : ["2308"] + "Thursday" : ["1924"] + "Token Right Adjusted Events" : ["13317"] + "TokenElevationTypeDefault (1)" : ["1936"] + "TokenElevationTypeFull (2)" : ["1937"] + "TokenElevationTypeLimited (3)" : ["1938"] + "Transport" : ["14597","16403","8212"] + "Traverse" : ["4369"] + "Trusted Computer Base Privilege" : ["1607"] + "Trusted For Delegation' - Disabled" : ["2061"] + "Trusted For Delegation' - Enabled" : ["2093"] + "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] + "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] + "Tuesday" : ["1922"] + "Tunnel" : ["16404","8213"] + "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] + "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] + "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] + "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] + "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] + "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] + "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] + "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] + "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] + "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] + "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] + "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] + "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] + "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] + "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] + "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] + "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] + "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] + "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] + "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] + "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] + "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] + "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] + "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] + "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] + "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] + "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] + "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] + "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] + "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] + "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] + "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] + "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] + "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] + "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] + "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] + "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] + "Unknown" : ["8211"] + "Unknown Type" : ["1817"] + "Unknown authentication" : ["8194"] + "Unknown or unchecked" : ["1809"] + "Unknown specific access (bit 0)" : ["1552"] + "Unknown specific access (bit 1)" : ["1553"] + "Unknown specific access (bit 10)" : ["1562"] + "Unknown specific access (bit 11)" : ["1563"] + "Unknown specific access (bit 12)" : ["1564"] + "Unknown specific access (bit 13)" : ["1565"] + "Unknown specific access (bit 14)" : ["1566"] + "Unknown specific access (bit 15)" : ["1567"] + "Unknown specific access (bit 2)" : ["1554"] + "Unknown specific access (bit 3)" : ["1555"] + "Unknown specific access (bit 4)" : ["1556"] + "Unknown specific access (bit 5)" : ["1557"] + "Unknown specific access (bit 6)" : ["1558"] + "Unknown specific access (bit 7)" : ["1559"] + "Unknown specific access (bit 8)" : ["1560"] + "Unknown specific access (bit 9)" : ["1561"] + "Unknown user name or bad password." : ["2313"] + "Unsigned 64-bit Integer" : ["1819"] + "Unsolicited Input Privilege" : ["1606"] + "Unused Access Flag" : ["6663"] + "Unused message ID" : ["1536"] + "Use DES Key Only' - Disabled" : ["2063"] + "Use DES Key Only' - Enabled" : ["2095"] + "Use symbolic link" : ["4544"] + "User / Device Claims" : ["12553"] + "User Account Management" : ["13824"] + "User key." : ["2500"] + "User not allowed to logon at this computer." : ["2312"] + "Validation of public key failed." : ["2450"] + "Value Added" : ["14674"] + "Value Added With Expiration Time" : ["14680"] + "Value Auto Deleted With Expiration Time" : ["14688"] + "Value Deleted" : ["14675"] + "Value Deleted With Expiration Time" : ["14681"] + "View non-sensitive policy information" : ["5632"] + "View or Change Audit Log Privilege" : ["1621"] + "View system audit requirements" : ["5633"] + "WRITE_DAC" : ["1539"] + "WRITE_OWNER" : ["1540"] + "Wednesday" : ["1923"] + "Workstation Trust Account' - Disabled" : ["2055"] + "Workstation Trust Account' - Enabled" : ["2087"] + "Write Property" : ["7685"] + "Write Self" : ["7683"] + "Write attributes" : ["6660"] + "Write objects" : ["6679"] + "Write persisted key to file." : ["2459"] + "Write to process memory" : ["4485"] + "WriteAccount" : ["5409","5445","5428"] + "WriteAttributes" : ["4424"] + "WriteData (or AddFile)" : ["4417"] + "WriteEA" : ["4420"] + "WriteOtherParameters" : ["5395"] + "WritePasswordParameters" : ["5393"] + "WritePreferences" : ["5442"] + "Yes" : ["1842","14678"] + "[NULL]" : ["14673"] + "a Security Descriptor too long to display" : ["1829"] + "an ACE too long to display" : ["1828"] + "vSwitch" : ["14604"] + "vSwitch Egress" : ["14642"] + "vSwitch Ingress" : ["14641"] + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", desc); + } + } + if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx.winlog?.event_data?.AccessList != null) { + ArrayList codes = new ArrayList(); + ArrayList results = new ArrayList(); + for (elem in split(ctx.winlog.event_data.AccessList)) { + def code = elem.replace("%%","").trim(); + if (code != "") { + codes.add(code); + } + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (codes.length > 0) { + ctx.winlog.event_data.AccessList = codes; + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx.winlog?.event_data?.Direction != null) { + def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.LayerName != null) { + def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.AccessMask != null) { + ArrayList list = new ArrayList(); + long accessMask; + for (elem in split(ctx.winlog.event_data.AccessMask)) { + if (elem.length() == 0) { + continue; + } + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + if (params.reversed_descriptions.containsKey(code)) + code = params.reversed_descriptions[code][0]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} + } + if (list.length > 0) { + ctx.winlog.event_data.put("AccessMask", list); + } + + ArrayList desc = new ArrayList(); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((accessMask & flag) == flag) { + w[0] = flag; + def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; + if (fDesc != null) { + desc.add(fDesc); + } + } + } + if (desc.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", desc); + } + ArrayList results = new ArrayList(); + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx.winlog?.event_data?.AccountName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx.winlog?.event_data?.AccountDomain != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-" && + ctx.winlog.event_data.ClientAddress != "Unknown") { + // Correct invalid IP address "LOCAL" + if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { + ctx.winlog.event_data.ClientAddress="127.0.0.1"; + } + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx.winlog?.event_data?.ClientName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx.winlog?.event_data?.LogonID != null) { + if (ctx.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } +# split member name into parts based on comma ignoring escaped commas +# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names + - split: + if: ctx.winlog?.event_data?.MemberName != null + field: winlog.event_data.MemberName + target_field: _temp.MemberNameParts + separator: "(?= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx.winlog?.event_data?.TargetUserSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx.user?.target != null) { + if (ctx.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx.event?.code == null || + !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", + "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", + "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", + "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", + "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", + "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", + "5381", "5382"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx.winlog?.event_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx.winlog?.event_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907", "4797"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.user_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx.winlog?.user_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx.winlog?.user_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx.winlog?.event_data?.ProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx.winlog?.event_data?.WorkstationName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.NewProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx.winlog?.event_data?.NewProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx.winlog?.event_data?.ParentProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && + ctx.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4797", "4798"].contains(ctx.event.code) && + ctx.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + "NO": Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - set: + field: file.name + copy_from: winlog.event_data.RelativeTargetName + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.RelativeTargetName != null && + ctx.winlog.event_data.RelativeTargetName != "" + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.path + value: "{{file.directory}}\\{{file.name}}" + if: ctx.file?.name != null && ctx.file?.directory != null + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.target_path + value: "{{winlog.event_data.ShareName}}\\{{file.name}}" + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareName != null && + ctx.winlog.event_data.ShareName != "" && + ctx.file?.name != null + - script: + description: Adds file information. + lang: painless + if: ctx.file?.name != null + source: |- + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + + #Cleanup _temp fields as it is not needed anymore + - remove: + field: _temp + ignore_missing: true + ignore_failure: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 03ed45832bb2..efec7a6246df 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -5,7 +5,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - script: description: Remove all empty values from event_data. lang: painless From ef6b4a6c463b8f9bfa23802bc0e4fb742c9534e5 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 5 Mar 2025 13:12:59 +0100 Subject: [PATCH 05/12] docs: Prepare Changelog for 8.17.3 (#42980) (#43029) * docs: Close changelog for 8.17.3 * Remove empty sections and update changelog entries --------- Co-authored-by: elasticmachine Co-authored-by: Pierre HILBERT (cherry picked from commit 1896cdac8925179b8c823c3cbdab145c1a5ee8f1) Co-authored-by: elastic-vault-github-plugin-prod[bot] <150874479+elastic-vault-github-plugin-prod[bot]@users.noreply.github.com> --- CHANGELOG.asciidoc | 43 +++++++++++++++++++++++++++++++++++ CHANGELOG.next.asciidoc | 15 ------------ libbeat/docs/release.asciidoc | 1 + 3 files changed, 44 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 7a24a85ecee6..fffeef0a9506 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,49 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-8.17.3]] +=== Beats version 8.17.3 +https://github.com/elastic/beats/compare/v8.17.2\...v8.17.3[View commits] + +==== Bugfixes + +*Affecting all Beats* + +- Restored event Meta fields in the Elasticsearch output's error logs. {pull}42559[42559] + +*Filebeat* + +- [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595] +- Fix entityanalytics activedirectory provider full sync use before initialization bug. {pull}42682[42682] +- In the `http_endpoint` input, fix the check for a missing HMAC HTTP header. {pull}42756[42756] + +*Metricbeat* + +- Fixed panic caused by uninitialized meraki device wifi0 and wifi1 struct pointers in the device WiFi data fetching. {issue}42745[42745] {pull}42746[42746] +- Only fetch cluster-level index stats summary. {issue}36019[36019] {pull}42901[42901] +- Fixed an issue in Metricbeat's Windows module where data collection would fail if the data was unavailable. {issue}42802[42802] {pull}42803[42803] + +*Winlogbeat* + +- Sync missing changes in modules pipelines. {pull}42619[42619] + +==== Added + +*Affecting all Beats* + +- Update Go version to 1.22.12. {pull}42681[42681] + +*Filebeat* + +- Introduce ignore older and start timestamp filters for AWS S3 input. {pull}41804[41804] +- Publish events progressively in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}42567[42567] + +*Metricbeat* + +- Log every 401 response from Kubernetes API Server. {pull}42714[42714] +- Collect more fields from ES node/stats metrics and only those that are necessary. {pull}42421[42421] + + [[release-notes-8.17.2]] === Beats version 8.17.2 https://github.com/elastic/beats/compare/v8.17.1\...v8.17.2[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c4f85fbbadc2..f04e8e0d6d41 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -127,21 +127,6 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Support Elastic Agent control protocol chunking support {pull}37343[37343] - Lower logging level to debug when attempting to configure beats with unknown fields from autodiscovered events/environments {pull}[37816][37816] - Set timeout of 1 minute for FQDN requests {pull}37756[37756] -- Fix issue where old data could be saved in the memory queue after acknowledgment, increasing memory use {pull}41356[41356] -- Ensure Elasticsearch output can always recover from network errors {pull}40794[40794] -- Add `translate_ldap_attribute` processor. {pull}41472[41472] -- Remove unnecessary debug logs during idle connection teardown {issue}40824[40824] -- Remove unnecessary reload for Elastic Agent managed beats when apm tracing config changes from nil to nil {pull}41794[41794] -- Fix incorrect cloud provider identification in add_cloud_metadata processor using provider priority mechanism {pull}41636[41636] -- Prevent panic if libbeat processors are loaded more than once. {issue}41475[41475] {pull}41857[51857] -- Allow network condition to handle field values that are arrays of IP addresses. {pull}41918[41918] -- Fix a bug where log files are rotated on startup when interval is configured and rotateonstartup is disabled {issue}41894[41894] {pull}41895[41895] -- Fix setting unique registry for non beat receivers {issue}42288[42288] {pull}42292[42292] -- The Kafka output now drops events when there is an authorisation error {issue}42343[42343] {pull}42401[42401] -- Fix autodiscovery memory leak related to metadata of start events {pull}41748[41748] -- All standard queue metrics are now included in metrics monitoring, including: `added.{events, bytes}`, `consumed.{events, bytes}`, `removed.{events, bytes}`, and `filled.{events, bytes, pct}`. {pull}42439[42439] -- The following output latency metrics are now included in metrics monitoring: `output.latency.{count, max, median, p99}`. {pull}42439[42439] -- Restored event Meta fields in the Elasticsearch output's error logs. {pull}42559[42559] *Auditbeat* diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 456b2418878f..f37aa317b670 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> From 0536310733fb4452352ca6c05a2f39a97377ccf0 Mon Sep 17 00:00:00 2001 From: Pierre HILBERT Date: Wed, 5 Mar 2025 13:25:45 +0100 Subject: [PATCH 06/12] Update CHANGELOG.asciidoc --- CHANGELOG.asciidoc | 111 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index fffeef0a9506..45fa98c9b7ba 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,117 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-9.0.0-beta1]] +=== Beats version 9.0.0-beta1 +https://github.com/elastic/beats/compare/v8.17.2\...v9.0.0-beta1[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Set default Kafka version to 2.1.0 in Kafka output and Filebeat. {pull}41662[41662] +- Replace default Ubuntu-based images with UBI-minimal-based ones. {pull}42150[42150] +- removed support for a single `-` to precede multi-letter command line arguments. Use `--` instead. {issue}42117[42117] {pull}42209[42209] + +*Filebeat* + +- Filebeat fails to start if there is any input with a duplicated ID. It logs the duplicated IDs and the offending inputs configurations. {pull}41731[41731] +- Filestream inputs with duplicated IDs will fail to start. An error is logged showing the ID and the full input configuration. {issue}41938[41938] {pull}41954[41954] +- Filestream inputs can define `allow_deprecated_id_duplication: true` to run keep the previous behaviour of running inputs with duplicated IDs. {issue}41938[41938] {pull}41954[41954] +- The Filestream input only starts to ingest a file when it is >= 1024 bytes in size. This happens because the fingerprint is the default file identity now. To restore the previous behaviour, set `file_identity.native: ~` and `prospector.scanner.fingerprint.enabled: false`. {issue}40197[40197] {pull}41762[41762] +- Filebeat fails to start when its configuration contains usage of the deprecated `log` or `container` inputs. However, they can still be used when `allow_deprecated_use: true` is set in their configuration. {pull}42295[42295] + +*Osquerybeat* + +- Upgrade osquery version to 5.13.1. {pull}40849[40849] + +*Packetbeat* + +- Use base-16 for reporting `serial_number` value in TLS fields in line with the ECS recommendation. {pull}41542[41542] + +*Winlogbeat* + +- Default to use raw API and delete older XML implementation. {pull}42275[42275] + +==== Bugfixes + +*Auditbeat* + +- hasher: Add a cached hasher for upcoming backend. {pull}41952[41952] +- Split common tty definitions. {pull}42004[42004] + +*Filebeat* + +- Redact authorization headers in HTTPJSON debug logs. {pull}41920[41920] +- Further rate limiting fix in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}41977[41977] +- The `_id` generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the `_id` is unique. {pull}42078[42078] +- Fix truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size. {pull}42327[42327] +- [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595] + +*Metricbeat* + +- Fix bug where Metricbeat unintentionally triggers Windows ASR. {pull}42177[42177] +- Remove `hostname` field from ZooKeeper's `mntr` data stream. {pull}41887[41887] + +*Packetbeat* + +- Properly marshal nested structs in ECS fields, fixing issues with mixed cases in field names. {pull}42116[42116] + +==== Added + +*Auditbeat* + +- Improve logging in system/socket. {pull}41571[41571] + +*Filebeat* + +- Added out of the box support for Amazon EventBridge notifications over SQS to S3 input. {pull}40006[40006] +- Update CEL mito extensions to v1.16.0. {pull}41727[41727] +- Filebeat's registry is now added to the Elastic-Agent diagnostics bundle. {issue}33238[33238] {pull}41795[41795] +- Add `unifiedlogs` input for MacOS. {pull}41791[41791] +- Add evaluation state dump debugging option to CEL input. {pull}41335[41335] +- Rate limiting operability improvements in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}41977[41977] +- Rate limiting fault tolerance improvements in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}42094[42094] +- Introduce ignore older and start timestamp filters for AWS S3 input. {pull}41804[41804] +- Journald input now can report its status to Elastic-Agent. {issue}39791[39791] {pull}42462[42462] +- Publish events progressively in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}42567[42567] +- Journald `include_matches.match` now accepts `+` to represent a logical disjunction (OR). {issue}40185[40185] {pull}42517[42517] +- The journald input is now generally available. {pull}42107[42107] + +*Heartbeat* + +- Add support for RFC7231 methods to HTTP monitors. {pull}41975[41975] + +*Metricbeat* + +- Add `use_kubeadm` config option in kubernetes module in order to toggle kubeadm-config API requests. {pull}40086[40086] +- Preserve queries for debugging when `merge_results: true` in SQL module. {pull}42271[42271] +- Collect more fields from ES node/stats metrics and only those that are necessary. {pull}42421[42421] + +*Metricbeat* +- Add benchmark module. {pull}41801[41801] + +*Osquerybeat* + +- Increase maximum query timeout to 24 hours. {pull}42356[42356] + +*Winlogbeat* + +- Properly set events `UserData` when experimental API is used. {pull}41525[41525] +- Include XML is respected for experimental API. {pull}41525[41525] +- Forwarded events use renderedtext info for experimental API. {pull}41525[41525] +- Language setting is respected for experimental API. {pull}41525[41525] +- Language setting also added to decode XML wineventlog processor. {pull}41525[41525] +- Format embedded messages in the experimental API. {pull}41525[41525] +- Make the experimental API GA and rename it to winlogbeat-raw. {issue}39580[39580] {pull}41770[41770] +- Remove 22 clause limitation. {issue}35047[35047] {pull}42187[42187] +- Add handling for recoverable publisher disabled errors. {issue}35316[35316] {pull}42187[42187] + +*Functionbeat* + +- Remove Functionbeat binaries from CI pipelines. {issue}40745[40745] {pull}41506[41506] + + [[release-notes-8.17.3]] === Beats version 8.17.3 https://github.com/elastic/beats/compare/v8.17.2\...v8.17.3[View commits] From 40a68d4b480b0a8d7ab3943852b6454e68832cb7 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Wed, 5 Mar 2025 17:11:56 +0100 Subject: [PATCH 07/12] refactor: drop custom fsync implementation (#42066) * refactor: drop custom fsync implement upstream is using F_FULLFSYNC on darwin call stdlib f.sync and remove custom fsync implementation * lint: fix linting errors * Update util.go --- .../statestore/backend/memlog/diskstore.go | 6 +- libbeat/statestore/backend/memlog/util.go | 10 +-- .../statestore/backend/memlog/util_darwin.go | 74 ------------------- .../statestore/backend/memlog/util_other.go | 36 --------- .../statestore/backend/memlog/util_windows.go | 26 ------- 5 files changed, 4 insertions(+), 148 deletions(-) delete mode 100644 libbeat/statestore/backend/memlog/util_darwin.go delete mode 100644 libbeat/statestore/backend/memlog/util_other.go delete mode 100644 libbeat/statestore/backend/memlog/util_windows.go diff --git a/libbeat/statestore/backend/memlog/diskstore.go b/libbeat/statestore/backend/memlog/diskstore.go index 6adde0b25ec5..39ac216b0d40 100644 --- a/libbeat/statestore/backend/memlog/diskstore.go +++ b/libbeat/statestore/backend/memlog/diskstore.go @@ -217,7 +217,7 @@ func (s *diskstore) Close() error { // always sync log file on ordinary shutdown. err := s.logBuf.Flush() if err == nil { - err = syncFile(s.logFile) + err = s.logFile.Sync() } s.logFile.Close() s.logFile = nil @@ -380,7 +380,7 @@ func (s *diskstore) checkpointTmpFile(tempfile string, states map[string]entry) return "", err } - if err = syncFile(f); err != nil { + if err = f.Sync(); err != nil { return "", err } @@ -658,7 +658,7 @@ func writeMetaFile(home string, mode os.FileMode) error { return err } - if err := syncFile(f); err != nil { + if err := f.Sync(); err != nil { return err } diff --git a/libbeat/statestore/backend/memlog/util.go b/libbeat/statestore/backend/memlog/util.go index ae6ec609dfc3..4b70e9b97a3a 100644 --- a/libbeat/statestore/backend/memlog/util.go +++ b/libbeat/statestore/backend/memlog/util.go @@ -18,11 +18,9 @@ package memlog import ( - "errors" "io" "os" "runtime" - "syscall" ) // countWriter keeps track of the amount of bytes written over time. @@ -37,12 +35,6 @@ func (c *countWriter) Write(p []byte) (int, error) { return n, err } -var _ = isRetryErr - -func isRetryErr(err error) bool { - return errors.Is(err, syscall.EINTR) || errors.Is(err, syscall.EAGAIN) -} - // trySyncPath provides a best-effort fsync on path (directory). The fsync is required by some // filesystems, so to update the parents directory metadata to actually // contain the new file being rotated in. @@ -53,7 +45,7 @@ func trySyncPath(path string) { } defer f.Close() //nolint:errcheck // ignore error - syncFile(f) + f.Sync() } // pathEnsurePermissions checks if the file permissions for the given file match wantPerm. diff --git a/libbeat/statestore/backend/memlog/util_darwin.go b/libbeat/statestore/backend/memlog/util_darwin.go deleted file mode 100644 index 21861d471afb..000000000000 --- a/libbeat/statestore/backend/memlog/util_darwin.go +++ /dev/null @@ -1,74 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package memlog - -import ( - "os" - "syscall" - - "golang.org/x/sys/unix" -) - -var errno0 = syscall.Errno(0) - -// syncFile implements the fsync operation for darwin. On darwin fsync is not -// reliable, instead the fcntl syscall with F_FULLFSYNC must be used. -func syncFile(f *os.File) error { - for { - _, err := unix.FcntlInt(f.Fd(), unix.F_FULLFSYNC, 0) - rootCause := errorRootCause(err) - if err == nil || isIOError(rootCause) { - return err - } - - if isRetryErr(err) { - continue - } - - err = f.Sync() - if isRetryErr(err) { - continue - } - return err - } -} - -func isIOError(err error) bool { - return err == unix.EIO || - // space/quota - err == unix.ENOSPC || err == unix.EDQUOT || err == unix.EFBIG || - // network - err == unix.ECONNRESET || err == unix.ENETDOWN || err == unix.ENETUNREACH -} - -// normalizeSysError returns the underlying error or nil, if the underlying -// error indicates it is no error. -func errorRootCause(err error) error { - for err != nil { - u, ok := err.(interface{ Unwrap() error }) - if !ok { - break - } - err = u.Unwrap() - } - - if err == nil || err == errno0 { - return nil - } - return err -} diff --git a/libbeat/statestore/backend/memlog/util_other.go b/libbeat/statestore/backend/memlog/util_other.go deleted file mode 100644 index d765a72d97d7..000000000000 --- a/libbeat/statestore/backend/memlog/util_other.go +++ /dev/null @@ -1,36 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build linux || dragonfly || freebsd || netbsd || openbsd || solaris || aix - -package memlog - -import ( - "os" -) - -// syncFile implements the fsync operation for most *nix systems. -// The call is retried if EINTR or EAGAIN is returned. -func syncFile(f *os.File) error { - // best effort. - for { - err := f.Sync() - if err == nil || !isRetryErr(err) { - return err - } - } -} diff --git a/libbeat/statestore/backend/memlog/util_windows.go b/libbeat/statestore/backend/memlog/util_windows.go deleted file mode 100644 index ce0d1080b724..000000000000 --- a/libbeat/statestore/backend/memlog/util_windows.go +++ /dev/null @@ -1,26 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package memlog - -import "os" - -// syncFile implements the fsync operation for Windows. Internally -// FlushFileBuffers will be used. -func syncFile(f *os.File) error { - return f.Sync() // stdlib already uses FlushFileBuffers, yay -} From 83e0ec0cd6e887eac7a9c79d4c3ea156ff324d1a Mon Sep 17 00:00:00 2001 From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Date: Wed, 5 Mar 2025 08:12:52 -0800 Subject: [PATCH 08/12] FIPS Build (#42402) Enable FIPS compliant builds when the env var FIPS=true is set. Artifacts are built with the microsfot/go toolchain with the env var GOEXPERIMENT=systemcrypto and the build tag "-tags=requirefips". In order to run the resulting binary, the system must have a FIPS compliant crypto provider. --- dev-tools/mage/build.go | 44 ++++++++++++++- dev-tools/mage/build_test.go | 72 ++++++++++++++++++++++++ dev-tools/mage/common.go | 6 ++ dev-tools/mage/crossbuild.go | 4 ++ dev-tools/mage/dockerbuilder.go | 3 + dev-tools/mage/gotest.go | 4 +- dev-tools/mage/pkg.go | 11 +++- dev-tools/mage/pkgtypes.go | 7 ++- dev-tools/mage/settings.go | 11 +++- dev-tools/packaging/package_test.go | 87 ++++++++++++++++++++++++++++- 10 files changed, 236 insertions(+), 13 deletions(-) create mode 100644 dev-tools/mage/build_test.go diff --git a/dev-tools/mage/build.go b/dev-tools/mage/build.go index 263299671fd7..24f78e493e34 100644 --- a/dev-tools/mage/build.go +++ b/dev-tools/mage/build.go @@ -24,6 +24,7 @@ import ( "log" "os" "path/filepath" + "regexp" "strings" "github.com/josephspurrier/goversioninfo" @@ -46,6 +47,39 @@ type BuildArgs struct { WinMetadata bool // Add resource metadata to Windows binaries (like add the version number to the .exe properties). } +// buildTagRE is a regexp to match strings like "-tags=abcd" +// but does not match "-tags= " +var buildTagRE = regexp.MustCompile(`-tags=([\S]+)?`) + +// ParseBuildTags returns the ExtraFlags param where all flags that are go build tags are joined by a comma. +// +// For example if given -someflag=val1 -tags=buildtag1 -tags=buildtag2 +// It will return -someflag=val1 -tags=buildtag1,buildtag2 +func (b BuildArgs) ParseBuildTags() []string { + flags := make([]string, 0) + if len(b.ExtraFlags) == 0 { + return flags + } + + buildTags := make([]string, 0) + for _, flag := range b.ExtraFlags { + if buildTagRE.MatchString(flag) { + arr := buildTagRE.FindStringSubmatch(flag) + if len(arr) != 2 || arr[1] == "" { + log.Printf("Parsing buildargs.ExtraFlags found strange flag %q ignoring value", flag) + continue + } + buildTags = append(buildTags, arr[1]) + } else { + flags = append(flags, flag) + } + } + if len(buildTags) > 0 { + flags = append(flags, "-tags="+strings.Join(buildTags, ",")) + } + return flags +} + // DefaultBuildArgs returns the default BuildArgs for use in builds. func DefaultBuildArgs() BuildArgs { args := BuildArgs{ @@ -74,6 +108,10 @@ func DefaultBuildArgs() BuildArgs { // Remove all file system paths from the compiled executable, to improve build reproducibility args.ExtraFlags = append(args.ExtraFlags, "-trimpath") } + if FIPSBuild { + args.ExtraFlags = append(args.ExtraFlags, "-tags=requirefips") + args.CGO = true + } return args } @@ -175,6 +213,10 @@ func Build(params BuildArgs) error { if params.CGO { cgoEnabled = "1" } + if FIPSBuild { + cgoEnabled = "1" + env["GOEXPERIMENT"] = "systemcrypto" + } env["CGO_ENABLED"] = cgoEnabled // Spec @@ -186,7 +228,7 @@ func Build(params BuildArgs) error { if params.BuildMode != "" { args = append(args, "-buildmode", params.BuildMode) } - args = append(args, params.ExtraFlags...) + args = append(args, params.ParseBuildTags()...) // ldflags ldflags := params.LDFlags diff --git a/dev-tools/mage/build_test.go b/dev-tools/mage/build_test.go new file mode 100644 index 000000000000..39ba435cf1a6 --- /dev/null +++ b/dev-tools/mage/build_test.go @@ -0,0 +1,72 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mage + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_BuildArgs_ParseBuildTags(t *testing.T) { + tests := []struct { + name string + input []string + expect []string + }{{ + name: "no flags", + input: nil, + expect: []string{}, + }, { + name: "multiple flags with no tags", + input: []string{"-a", "-b", "-key=value"}, + expect: []string{"-a", "-b", "-key=value"}, + }, { + name: "one build tag", + input: []string{"-tags=example"}, + expect: []string{"-tags=example"}, + }, { + name: "multiple build tags", + input: []string{"-tags=example", "-tags=test"}, + expect: []string{"-tags=example,test"}, + }, { + name: "joined build tags", + input: []string{"-tags=example,test"}, + expect: []string{"-tags=example,test"}, + }, { + name: "multiple build tags with other flags", + input: []string{"-tags=example", "-tags=test", "-key=value", "-a"}, + expect: []string{"-key=value", "-a", "-tags=example,test"}, + }, { + name: "incorrectly formatted tag", + input: []string{"-tags= example"}, + expect: []string{}, + }, { + name: "incorrectly formatted tag with valid tag", + input: []string{"-tags= example", "-tags=test"}, + expect: []string{"-tags=test"}, + }} + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + args := BuildArgs{ExtraFlags: tc.input} + flags := args.ParseBuildTags() + assert.EqualValues(t, tc.expect, flags) + }) + } +} diff --git a/dev-tools/mage/common.go b/dev-tools/mage/common.go index 01c683c11e7b..07dffd15fba8 100644 --- a/dev-tools/mage/common.go +++ b/dev-tools/mage/common.go @@ -511,6 +511,12 @@ func untar(sourceFile, destinationDir string) error { return err } case tar.TypeReg: + // create containing folder if it doesn't exist yet + targetContainingDir := filepath.Dir(filepath.FromSlash(path)) + if mkDirErr := os.MkdirAll(targetContainingDir, 0755); mkDirErr != nil { + return fmt.Errorf("creating container directory for file %s: %w", header.Name, mkDirErr) + } + writer, err := os.Create(path) if err != nil { return err diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 0aabf0032118..5fd9e4a0506e 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -248,6 +248,9 @@ func CrossBuildImage(platform string) (string, error) { if err != nil { return "", err } + if FIPSBuild { + tagSuffix += "-fips" + } return BeatsCrossBuildImage + ":" + goVersion + "-" + tagSuffix, nil } @@ -331,6 +334,7 @@ func (b GolangCrossBuilder) Build() error { "--env", "MAGEFILE_VERBOSE="+verbose, "--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""), "--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot), + "--env", fmt.Sprintf("FIPS=%v", FIPSBuild), "-v", repoInfo.RootDir+":"+mountPoint, "-w", workDir, ) diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go index 2066670dc808..ccc532ad0591 100644 --- a/dev-tools/mage/dockerbuilder.go +++ b/dev-tools/mage/dockerbuilder.go @@ -194,6 +194,9 @@ func (b *dockerBuilder) dockerBuild() (string, error) { if b.Snapshot { tag = tag + "-SNAPSHOT" } + if b.FIPS { + tag = tag + "-fips" + } if repository, _ := b.ExtraVars["repository"]; repository != "" { tag = fmt.Sprintf("%s/%s", repository, tag) } diff --git a/dev-tools/mage/gotest.go b/dev-tools/mage/gotest.go index ecc8f277b941..f1b977b6ac65 100644 --- a/dev-tools/mage/gotest.go +++ b/dev-tools/mage/gotest.go @@ -292,9 +292,9 @@ func GoTest(ctx context.Context, params GoTestArgs) error { } } if len(params.Tags) > 0 { - params := strings.Join(params.Tags, " ") + params := strings.Join(params.Tags, ",") if params != "" { - testArgs = append(testArgs, "-tags", params) + testArgs = append(testArgs, "-tags="+params) } } if params.CoverageProfileFile != "" { diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 757f857265f4..6d6e2aff535d 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -88,6 +88,7 @@ func Package() error { spec.OS = target.GOOS() spec.Arch = packageArch spec.Snapshot = Snapshot + spec.FIPS = FIPSBuild spec.evalContext = map[string]interface{}{ "GOOS": target.GOOS(), "GOARCH": target.GOARCH(), @@ -246,11 +247,11 @@ type packageBuilder struct { } func (b packageBuilder) Build() error { - fmt.Printf(">> package: Building %v type=%v for platform=%v\n", b.Spec.Name, b.Type, b.Platform.Name) + fmt.Printf(">> package: Building %v type=%v for platform=%v fips=%v\n", b.Spec.Name, b.Type, b.Platform.Name, b.Spec.FIPS) log.Printf("Package spec: %+v", b.Spec) if err := b.Type.Build(b.Spec); err != nil { - return fmt.Errorf("failed building %v type=%v for platform=%v: %w", - b.Spec.Name, b.Type, b.Platform.Name, err) + return fmt.Errorf("failed building %v type=%v for platform=%v fips=%v: %w", + b.Spec.Name, b.Type, b.Platform.Name, b.Spec.FIPS, err) } return nil } @@ -344,6 +345,10 @@ func TestPackages(options ...TestPackagesOption) error { args = append(args, "-root-owner") } + if FIPSBuild { + args = append(args, "-fips") + } + args = append(args, "-files", MustExpand("{{.PWD}}/build/distributions/*")) if out, err := goTest(args...); err != nil { diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index 249612f8feb8..4ef64d1959d6 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -47,7 +47,7 @@ const ( packageStagingDir = "build/package" // defaultBinaryName specifies the output file for zip and tar.gz. - defaultBinaryName = "{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}" + defaultBinaryName = "{{.Name}}{{if .FIPS}}-fips{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}" ) // PackageType defines the file format of the package (e.g. zip, rpm, etc). @@ -79,6 +79,7 @@ type PackageSpec struct { Arch string `yaml:"arch,omitempty"` Vendor string `yaml:"vendor,omitempty"` Snapshot bool `yaml:"snapshot"` + FIPS bool `yaml:"fips"` Version string `yaml:"version,omitempty"` License string `yaml:"license,omitempty"` URL string `yaml:"url,omitempty"` @@ -528,7 +529,7 @@ func (s PackageSpec) rootDir() string { // NOTE: This uses .BeatName instead of .Name because we wanted the internal // directory to not include "-oss". - return s.MustExpand("{{.BeatName}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}") + return s.MustExpand("{{.BeatName}}{{if .FIPS}}-fips{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}") } // PackageZip packages a zip file. @@ -727,7 +728,7 @@ func runFPM(spec PackageSpec, packageType PackageType) error { } defer os.Remove(inputTar) - outputFile, err := spec.Expand("{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.Arch}}") + outputFile, err := spec.Expand("{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.Arch}}{{if .FIPS}}-fips{{end}}") if err != nil { return err } diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go index 22c081351e8b..b1394e66c4bd 100644 --- a/dev-tools/mage/settings.go +++ b/dev-tools/mage/settings.go @@ -79,8 +79,9 @@ var ( BeatProjectType ProjectType - Snapshot bool - DevBuild bool + Snapshot bool + DevBuild bool + FIPSBuild bool versionQualified bool versionQualifier string @@ -128,6 +129,11 @@ func init() { panic(fmt.Errorf("failed to parse DEV env value: %w", err)) } + FIPSBuild, err = strconv.ParseBool(EnvOr("FIPS", "false")) + if err != nil { + panic(fmt.Errorf("failed to parse FIPS env value: %w", err)) + } + versionQualifier, versionQualified = os.LookupEnv("VERSION_QUALIFIER") } @@ -179,6 +185,7 @@ func varMap(args ...map[string]interface{}) map[string]interface{} { "BeatUser": BeatUser, "Snapshot": Snapshot, "DEV": DevBuild, + "FIPS": FIPSBuild, "Qualifier": versionQualifier, "CI": CI, } diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 6a9a72a8facd..7acc16affc7e 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -27,6 +27,8 @@ import ( "bytes" "compress/gzip" "context" + "debug/buildinfo" + "debug/elf" "encoding/json" "errors" "flag" @@ -45,6 +47,9 @@ import ( "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/strslice" "github.com/docker/docker/client" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/dev-tools/mage" ) const ( @@ -75,6 +80,7 @@ var ( monitorsd = flag.Bool("monitors.d", false, "check monitors.d folder contents") rootOwner = flag.Bool("root-owner", false, "expect root to own package files") rootUserContainer = flag.Bool("root-user-container", false, "expect root in container user") + fips = flag.Bool("fips", false, "check agent binary for FIPS compliance") ) func TestRPM(t *testing.T) { @@ -96,7 +102,15 @@ func TestTar(t *testing.T) { // Regexp matches *-arch.tar.gz, but not *-arch.docker.tar.gz tars := getFiles(t, regexp.MustCompile(`-\w+\.tar\.gz$`)) for _, tar := range tars { - checkTar(t, tar) + checkTar(t, tar, false) + } +} + +func TestFIPSTar(t *testing.T) { + // Regexp matches *-arch.tar.gz, but not *-arch.docker.tar.gz + tars := getFiles(t, regexp.MustCompile(`-\w+-fips\.tar\.gz$`)) + for _, tar := range tars { + checkTar(t, tar, *fips) } } @@ -159,7 +173,7 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { checkSystemdUnitPermissions(t, p) } -func checkTar(t *testing.T, file string) { +func checkTar(t *testing.T, file string, fipsCheck bool) { p, err := readTar(file) if err != nil { t.Error(err) @@ -174,6 +188,29 @@ func checkTar(t *testing.T, file string) { checkModulesPermissions(t, p) checkModulesOwner(t, p, true) checkLicensesPresent(t, "", p) + if fipsCheck { + t.Run(p.Name+"_fips_test", func(t *testing.T) { + extractDir := t.TempDir() + t.Logf("Extracting file %s into %s", file, extractDir) + err := mage.Extract(file, extractDir) + require.NoError(t, err) + containingDir := strings.TrimSuffix(filepath.Base(file), ".tar.gz") + beatName := extractBeatNameFromTarName(t, filepath.Base(file)) + checkFIPS(t, beatName, filepath.Join(extractDir, containingDir)) + }) + } +} + +func extractBeatNameFromTarName(t *testing.T, fileName string) string { + // TODO check if cutting at the first '-' is an acceptable shortcut + t.Logf("Extracting beat name from filename %s", fileName) + const sep = "-" + beatName, _, found := strings.Cut(fileName, sep) + if !found { + t.Logf("separator %s not found in filename %s: beatName may be incorrect", sep, fileName) + } + + return beatName } func checkZip(t *testing.T, file string) { @@ -773,6 +810,52 @@ func readTarContents(tarName string, data io.Reader) (*packageFile, error) { return p, nil } +func checkFIPS(t *testing.T, beatName, path string) { + t.Logf("Checking %s for FIPS compliance", beatName) + binaryPath := filepath.Join(path, beatName) // TODO eventually we'll need to support checking a .exe + require.FileExistsf(t, binaryPath, "Unable to find beat executable %s", binaryPath) + + info, err := buildinfo.ReadFile(binaryPath) + require.NoError(t, err) + + foundTags := false + foundExperiment := false + for _, setting := range info.Settings { + switch setting.Key { + case "-tags": + foundTags = true + require.Contains(t, setting.Value, "requirefips") + continue + case "GOEXPERIMENT": + foundExperiment = true + require.Contains(t, setting.Value, "systemcrypto") + continue + } + } + + require.True(t, foundTags, "Did not find -tags within binary version information") + require.True(t, foundExperiment, "Did not find GOEXPERIMENT within binary version information") + + // TODO only elf is supported at the moment, in the future we will need to use macho (darwin) and pe (windows) + f, err := elf.Open(binaryPath) + require.NoError(t, err, "unable to open ELF file") + + symbols, err := f.Symbols() + if err != nil { + t.Logf("no symbols present in %q: %v", binaryPath, err) + return + } + + hasOpenSSL := false + for _, symbol := range symbols { + if strings.Contains(symbol.Name, "OpenSSL_version") { + hasOpenSSL = true + break + } + } + require.True(t, hasOpenSSL, "unable to find OpenSSL_version symbol") +} + // inspector is a file contents inspector. It vets the contents of the file // within a package for a requirement and returns an error if it is not met. type inspector func(pkg, file string, contents io.Reader) error From 1db044487726833ee5a63f98904326d705707c46 Mon Sep 17 00:00:00 2001 From: Valentin Crettaz Date: Wed, 5 Mar 2025 19:51:31 +0100 Subject: [PATCH 09/12] [REVERT] Update Stack Monitoring data stream to 9 (#43052) --- metricbeat/helper/elastic/elastic.go | 2 +- metricbeat/helper/elastic/elastic_test.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/metricbeat/helper/elastic/elastic.go b/metricbeat/helper/elastic/elastic.go index 4af3871356c4..59626c6e8219 100644 --- a/metricbeat/helper/elastic/elastic.go +++ b/metricbeat/helper/elastic/elastic.go @@ -82,7 +82,7 @@ func (p Product) String() string { // MakeXPackMonitoringIndexName method returns the name of the monitoring index for // a given product { elasticsearch, kibana, logstash, beats } func MakeXPackMonitoringIndexName(product Product) string { - const version = "9" + const version = "8" return fmt.Sprintf(".monitoring-%v-%v-mb", product.xPackMonitoringIndexString(), version) } diff --git a/metricbeat/helper/elastic/elastic_test.go b/metricbeat/helper/elastic/elastic_test.go index e6939cd42583..44416b469803 100644 --- a/metricbeat/helper/elastic/elastic_test.go +++ b/metricbeat/helper/elastic/elastic_test.go @@ -38,22 +38,22 @@ func TestMakeXPackMonitoringIndexName(t *testing.T) { { "Elasticsearch monitoring index", Elasticsearch, - ".monitoring-es-9-mb", + ".monitoring-es-8-mb", }, { "Kibana monitoring index", Kibana, - ".monitoring-kibana-9-mb", + ".monitoring-kibana-8-mb", }, { "Logstash monitoring index", Logstash, - ".monitoring-logstash-9-mb", + ".monitoring-logstash-8-mb", }, { "Beats monitoring index", Beats, - ".monitoring-beats-9-mb", + ".monitoring-beats-8-mb", }, } From 2c6e5affa25bd29bda0e56d506074967cda28f7d Mon Sep 17 00:00:00 2001 From: Dimitrios Liappis Date: Thu, 6 Mar 2025 10:35:27 +0200 Subject: [PATCH 10/12] Don't package arm64 on amd64 workers (#43026) This commit is the counterpart of #43019 for the DRA packaging pipeline. It ensures that arm64 packages get built without qemu emulation on dedicated arm64 workers. --- .buildkite/packaging.pipeline.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.buildkite/packaging.pipeline.yml b/.buildkite/packaging.pipeline.yml index 34b103b23736..6063cd8c7164 100644 --- a/.buildkite/packaging.pipeline.yml +++ b/.buildkite/packaging.pipeline.yml @@ -8,8 +8,8 @@ env: GCP_DEFAULT_MACHINE_TYPE: "c2d-standard-8" IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204" - PLATFORMS: "+all linux/amd64 linux/arm64 windows/amd64 darwin/amd64 darwin/arm64" - PLATFORMS_ARM: "linux/arm64" + PLATFORMS: "+all linux/amd64 windows/amd64 darwin/amd64 darwin/arm64" + PLATFORMS_ARM: "+all linux/arm64" steps: # we use concurrency gates (https://buildkite.com/blog/concurrency-gates) @@ -121,10 +121,9 @@ steps: - x-pack/packetbeat - x-pack/winlogbeat - - label: "SNAPSHOT: {{matrix}} docker Linux/arm64" + - label: "SNAPSHOT: {{matrix}} Linux/arm64" env: PLATFORMS: "${PLATFORMS_ARM}" - PACKAGES: "docker" SNAPSHOT: true # packaging with `DEV=true` may cause linker issues while crosscompiling https://github.com/elastic/beats/issues/41270 DEV: false @@ -151,9 +150,11 @@ steps: - x-pack/heartbeat - x-pack/metricbeat - x-pack/packetbeat + - x-pack/osquerybeat + - x-pack/agentbeat ## Agentbeat needs more CPUs because it builds many other beats - - label: "SNAPSHOT: x-pack/agentbeat" + - label: "SNAPSHOT: x-pack/agentbeat all artifacts apart from linux/arm64" env: PLATFORMS: "${PLATFORMS}" SNAPSHOT: true @@ -211,10 +212,9 @@ steps: - x-pack/packetbeat - x-pack/winlogbeat - - label: "STAGING: {{matrix}} docker Linux/arm64" + - label: "STAGING: {{matrix}} Linux/arm64" env: PLATFORMS: "${PLATFORMS_ARM}" - PACKAGES: "docker" SNAPSHOT: false DEV: false command: | @@ -242,9 +242,11 @@ steps: - x-pack/heartbeat - x-pack/metricbeat - x-pack/packetbeat + - x-pack/osquerybeat + - x-pack/agentbeat ## Agentbeat needs more CPUs because it builds many other beats - - label: "STAGING: x-pack/agentbeat" + - label: "STAGING: x-pack/agentbeat all artifacts apart from linux/arm64" env: PLATFORMS: "${PLATFORMS}" SNAPSHOT: false From 180bd96836d503887fdb9044555b46521bc228d9 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 6 Mar 2025 11:01:38 +0100 Subject: [PATCH 11/12] [metricbeat] Add a new 'match_by_parent_instance' option to 'perfmon' module (#43002) * Add a new 'match_by_parent_instance' option to 'perfmon' module * Add type assertion check --- CHANGELOG.next.asciidoc | 1 + .../windows/perfmon/_meta/docs.asciidoc | 7 ++ metricbeat/module/windows/perfmon/config.go | 5 ++ metricbeat/module/windows/perfmon/data.go | 20 ++--- .../module/windows/perfmon/data_test.go | 76 +++++++++++++++++++ 5 files changed, 100 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f04e8e0d6d41..79dda48534a1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -473,6 +473,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Add new metricset wmi for the windows module. {pull}42017[42017] - Update beat module with apm-server tail sampling monitoring metrics fields {pull}42569[42569] - Log every 401 response from Kubernetes API Server {pull}42714[42714] +- Add a new `match_by_parent_instance` option to `perfmon` module. {pull}43002[43002] *Metricbeat* - Add benchmark module {pull}41801[41801] diff --git a/metricbeat/module/windows/perfmon/_meta/docs.asciidoc b/metricbeat/module/windows/perfmon/_meta/docs.asciidoc index 9550e771ebc7..9df8c740fb49 100644 --- a/metricbeat/module/windows/perfmon/_meta/docs.asciidoc +++ b/metricbeat/module/windows/perfmon/_meta/docs.asciidoc @@ -49,6 +49,13 @@ The default behaviour is for all measurements to be sent as separate events. *`refresh_wildcard_counters`*:: A boolean option to refresh the counter list at each fetch. By default, the counter list will be retrieved at the starting time, to refresh the list at each fetch, users will have to enable this setting. +*`match_by_parent_instance`*:: A boolean option that causes all instances +of the same parent to have the same instance value. In the above example, +this will cause metrics for `svchost`, `svchost#1`, etc. to have an `instance` +value of `svchost`. If set to `false` they will keep the original values +(`svchost`, `svchost#1`, etc.). +It defaults to `true`. + [float] ==== Query Configuration diff --git a/metricbeat/module/windows/perfmon/config.go b/metricbeat/module/windows/perfmon/config.go index f16c9c3b324b..4033fc404aeb 100644 --- a/metricbeat/module/windows/perfmon/config.go +++ b/metricbeat/module/windows/perfmon/config.go @@ -35,6 +35,7 @@ type Config struct { RefreshWildcardCounters bool `config:"perfmon.refresh_wildcard_counters"` Queries []Query `config:"perfmon.queries"` GroupAllCountersTo string `config:"perfmon.group_all_counter"` + MatchByParentInstance *bool `config:"perfmon.match_by_parent_instance"` } // QueryConfig for perfmon queries. This will be used as the new configuration format @@ -77,6 +78,10 @@ func (conf *Config) Validate() error { return nil } +func (conf *Config) ShouldMatchByParentInstance() bool { + return conf.MatchByParentInstance == nil || *conf.MatchByParentInstance +} + func isValidFormat(format string) bool { for _, form := range allowedFormats { if form == format { diff --git a/metricbeat/module/windows/perfmon/data.go b/metricbeat/module/windows/perfmon/data.go index 0391266e65a5..5e35c9ae4e1b 100644 --- a/metricbeat/module/windows/perfmon/data.go +++ b/metricbeat/module/windows/perfmon/data.go @@ -75,12 +75,14 @@ func (re *Reader) groupToEvents(counters map[string][]pdh.CounterValue) []mb.Eve eventMap[eventKey].Error = fmt.Errorf("failed on query=%v: %w", counterPath, val.Err.Error) } if val.Instance != "" { - // will ignore instance index - if ok, match := matchesParentProcess(val.Instance); ok { - eventMap[eventKey].MetricSetFields.Put(counter.InstanceField, match) - } else { - eventMap[eventKey].MetricSetFields.Put(counter.InstanceField, val.Instance) + instanceName := val.Instance + if re.config.ShouldMatchByParentInstance() { + if ok, match := matchesParentProcess(val.Instance); ok { + // will ignore instance index + instanceName = match + } } + eventMap[eventKey].MetricSetFields.Put(counter.InstanceField, instanceName) } } @@ -126,13 +128,13 @@ func (re *Reader) groupToSingleEvent(counters map[string][]pdh.CounterValue) mb. continue } var counterVal float64 - switch val.Measurement.(type) { + switch m := val.Measurement.(type) { case int64: - counterVal = float64(val.Measurement.(int64)) + counterVal = float64(m) case int: - counterVal = float64(val.Measurement.(int)) + counterVal = float64(m) default: - counterVal = val.Measurement.(float64) + counterVal, _ = val.Measurement.(float64) } if _, ok := measurements[readerCounter.QueryField]; !ok { measurements[readerCounter.QueryField] = counterVal diff --git a/metricbeat/module/windows/perfmon/data_test.go b/metricbeat/module/windows/perfmon/data_test.go index 9c4691216b34..fdb6683e897e 100644 --- a/metricbeat/module/windows/perfmon/data_test.go +++ b/metricbeat/module/windows/perfmon/data_test.go @@ -292,6 +292,82 @@ func TestGroupToSingleEvent(t *testing.T) { assert.Equal(t, val, mapstr.M{"processor_count": float64(2)}) } +func TestMatchByParentInstance(t *testing.T) { + _true := true + _false := false + reader := Reader{ + query: pdh.Query{}, + log: nil, + config: Config{ + MatchByParentInstance: &_true, + }, + counters: []PerfCounter{ + { + QueryField: "%_processor_time", + QueryName: `\Processor Information(*)\% Processor Time`, + Format: "float", + ObjectName: "Processor Information", + ObjectField: "object", + InstanceName: "*", + InstanceField: "instance", + ChildQueries: []string{`\Processor Information(processor)\% Processor Time`, `\Processor Information(processor#1)\% Processor Time`}, + }, + }, + } + + counters := map[string][]pdh.CounterValue{ + `\Processor Information(processor)\% Processor Time`: { + { + Instance: "processor", + Measurement: 23, + }, + }, + `\Processor Information(processor#1)\% Processor Time`: { + { + Instance: "processor#1", + Measurement: 21, + }, + }, + } + + { + events := reader.groupToEvents(counters) + assert.NotNil(t, events) + assert.Equal(t, 2, len(events)) + ok, err := events[0].MetricSetFields.HasKey("instance") + assert.NoError(t, err) + assert.True(t, ok) + ok, err = events[1].MetricSetFields.HasKey("instance") + assert.NoError(t, err) + assert.True(t, ok) + val1, err := events[0].MetricSetFields.GetValue("instance") + assert.NoError(t, err) + assert.Equal(t, val1, "processor") + val2, err := events[1].MetricSetFields.GetValue("instance") + assert.NoError(t, err) + assert.Equal(t, val2, "processor") + } + + reader.config.MatchByParentInstance = &_false + { + events := reader.groupToEvents(counters) + assert.NotNil(t, events) + assert.Equal(t, 2, len(events)) + ok, err := events[0].MetricSetFields.HasKey("instance") + assert.NoError(t, err) + assert.True(t, ok) + ok, err = events[1].MetricSetFields.HasKey("instance") + assert.NoError(t, err) + assert.True(t, ok) + val1, err := events[0].MetricSetFields.GetValue("instance") + assert.NoError(t, err) + assert.Equal(t, val1, "processor") + val2, err := events[1].MetricSetFields.GetValue("instance") + assert.NoError(t, err) + assert.Equal(t, val2, "processor#1") + } +} + func TestMatchesParentProcess(t *testing.T) { ok, val := matchesParentProcess("svchost") assert.True(t, ok) From f1e42fcaf3e3d3f36e9cf7ded219650aaa6a8114 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Thu, 6 Mar 2025 13:23:43 +0100 Subject: [PATCH 12/12] filebeat: make deep copy before notifying of config change (#42992) This prevents concurrent read & write map access. Unrelated, but I've escalated one log line to Info to allow for easier verifying that ES store is being used from agent logs. Fixes #42815 --- filebeat/beater/filebeat.go | 10 +++++++++- libbeat/statestore/backend/es/store.go | 2 +- x-pack/filebeat/tests/integration/managerV2_test.go | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/filebeat/beater/filebeat.go b/filebeat/beater/filebeat.go index dbab9a77de5e..7c9229cd09b5 100644 --- a/filebeat/beater/filebeat.go +++ b/filebeat/beater/filebeat.go @@ -329,7 +329,15 @@ func (fb *Filebeat) Run(b *beat.Beat) error { return nil } - stateStore.notifier.Notify(outCfg.Config()) + // Create a new config with the output configuration. Since r.Config is a pointer, a copy is required to + // avoid concurrent map read and write. + // See https://github.com/elastic/beats/issues/42815 + configCopy, err := conf.NewConfigFrom(outCfg.Config()) + if err != nil { + logp.Err("Failed to create a new config from the output config: %v", err) + return nil + } + stateStore.notifier.Notify(configCopy) return nil }) } diff --git a/libbeat/statestore/backend/es/store.go b/libbeat/statestore/backend/es/store.go index fee1e0c9ba48..d4a6fd130853 100644 --- a/libbeat/statestore/backend/es/store.go +++ b/libbeat/statestore/backend/es/store.go @@ -296,7 +296,7 @@ func (s *store) Each(fn func(string, backend.ValueDecoder) (bool, error)) error } func (s *store) configure(ctx context.Context, c *conf.C) { - s.log.Debugf("Configure ES store") + s.log.Info("Configuring ES store") s.mx.Lock() defer s.mx.Unlock() diff --git a/x-pack/filebeat/tests/integration/managerV2_test.go b/x-pack/filebeat/tests/integration/managerV2_test.go index 84f6ad0f54bb..a05ee01570e0 100644 --- a/x-pack/filebeat/tests/integration/managerV2_test.go +++ b/x-pack/filebeat/tests/integration/managerV2_test.go @@ -930,7 +930,7 @@ func TestHTTPJSONInputReloadUnderElasticAgentWithElasticStateStore(t *testing.T) ) for _, contains := range []string{ - "Configure ES store", + "Configuring ES store", "input-cursor::openStore: prefix: httpjson inputID: " + inputID, "input-cursor store read 0 keys", // first, no previous data exists "input-cursor store read 1 keys", // after the restart, previous key is read