From 9c62ceef6a1866153f1b8e2d905fe18f912a66be Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 21 Jan 2025 15:08:46 +0100 Subject: [PATCH] Backport missing winlog changes: (#42360) - Pipeline improvements - Winlog input docs - Metadata store tracking of newest events --- filebeat/docs/inputs/input-winlog.asciidoc | 7 +- winlogbeat/sys/wineventlog/metadata_store.go | 21 +- .../sys/wineventlog/metadata_store_test.go | 3 +- .../module/security/ingest/security.yml | 1001 ++++++++++++++++- 4 files changed, 1014 insertions(+), 18 deletions(-) diff --git a/filebeat/docs/inputs/input-winlog.asciidoc b/filebeat/docs/inputs/input-winlog.asciidoc index 6d58c7d8df8d..8cbd004da804 100644 --- a/filebeat/docs/inputs/input-winlog.asciidoc +++ b/filebeat/docs/inputs/input-winlog.asciidoc @@ -452,8 +452,5 @@ performance and reduce CPU usage. *{vista_and_newer}* api: wineventlog-experimental -------------------------------------------------------------------------------- -There are a few notable differences in the events: - -* Events that contained data under `winlog.user_data` will now have it under - `winlog.event_data`. -* Setting `include_xml: true` has no effect. +* If `include_xml` is `true` the performance will be the same as the default API, +as performance improvements are lost when parsing the XML. diff --git a/winlogbeat/sys/wineventlog/metadata_store.go b/winlogbeat/sys/wineventlog/metadata_store.go index 821e04d2dfc8..eae92ec07b26 100644 --- a/winlogbeat/sys/wineventlog/metadata_store.go +++ b/winlogbeat/sys/wineventlog/metadata_store.go @@ -51,8 +51,11 @@ type PublisherMetadataStore struct { winevent.WinMeta + // Keeps track of the latest metadata available for each event. + EventsNewest map[uint16]*EventMetadata // Event ID to event metadata (message and event data param names). - Events map[uint32]*EventMetadata + // Keeps track of all available versions for each event. + EventsByVersion map[uint32]*EventMetadata // Event ID to map of fingerprints to event metadata. The fingerprint value // is hash of the event data parameters count and types. EventFingerprints map[uint32]map[uint64]*EventMetadata @@ -103,7 +106,8 @@ func NewEmptyPublisherMetadataStore(provider string, log *logp.Logger) *Publishe Levels: map[uint8]string{}, Tasks: map[uint16]string{}, }, - Events: map[uint32]*EventMetadata{}, + EventsNewest: map[uint16]*EventMetadata{}, + EventsByVersion: map[uint32]*EventMetadata{}, EventFingerprints: map[uint32]map[uint64]*EventMetadata{}, MessagesByID: map[uint32]string{}, log: log.With("publisher", provider, "empty", true), @@ -183,7 +187,8 @@ func (s *PublisherMetadataStore) initEvents() error { } defer itr.Close() - s.Events = map[uint32]*EventMetadata{} + s.EventsNewest = map[uint16]*EventMetadata{} + s.EventsByVersion = map[uint32]*EventMetadata{} for itr.Next() { evt, err := newEventMetadataFromPublisherMetadata(itr, s.Metadata) if err != nil { @@ -191,7 +196,8 @@ func (s *PublisherMetadataStore) initEvents() error { "error", err) continue } - s.Events[getEventCombinedID(evt.EventID, evt.Version)] = evt + s.EventsNewest[evt.EventID] = evt + s.EventsByVersion[getEventCombinedID(evt.EventID, evt.Version)] = evt } return itr.Err() } @@ -235,7 +241,12 @@ func (s *PublisherMetadataStore) getEventMetadata(eventID uint16, version uint8, // metadata then we just associate the fingerprint with a pointer to the // providers metadata for the event ID. - defaultEM := s.Events[combinedID] + defaultEM, found := s.EventsByVersion[combinedID] + if !found { + // if we do not have a specific metadata for this event version + // we fallback to get the newest available one + defaultEM = s.EventsNewest[eventID] + } // Use XML to get the parameters names. em, err := newEventMetadataFromEventHandle(s.Metadata, eventHandle) diff --git a/winlogbeat/sys/wineventlog/metadata_store_test.go b/winlogbeat/sys/wineventlog/metadata_store_test.go index 86b02edd6815..c8b420bc6794 100644 --- a/winlogbeat/sys/wineventlog/metadata_store_test.go +++ b/winlogbeat/sys/wineventlog/metadata_store_test.go @@ -40,7 +40,8 @@ func TestPublisherMetadataStore(t *testing.T) { } defer s.Close() - assert.NotEmpty(t, s.Events) + assert.NotEmpty(t, s.EventsByVersion) + assert.NotEmpty(t, s.EventsNewest) assert.Empty(t, s.EventFingerprints) t.Run("event_metadata_from_handle", func(t *testing.T) { diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index 020b14af356b..313f0333ab45 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -885,9 +885,10 @@ processors: return; } ArrayList uac_array = new ArrayList(); - for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { - if (elem.trim().length() > 0) { - uac_array.add(elem.trim()); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); } } ctx.winlog.event_data.UserAccountControl = uac_array; @@ -2122,6 +2123,976 @@ processors: "16901": "Remote Access" "16902": "Subscribe" "16903": "Publish" + reversed_descriptions: + "Undefined Access (no effect) Bit 7" : "279" + "Unused message ID" : "1536" + "DELETE" : "1537" + "READ_CONTROL" : "1538" + "WRITE_DAC" : "1539" + "WRITE_OWNER" : "1540" + "SYNCHRONIZE" : "1541" + "ACCESS_SYS_SEC" : "1542" + "MAX_ALLOWED" : "1543" + "Unknown specific access (bit 0)" : "1552" + "Unknown specific access (bit 1)" : "1553" + "Unknown specific access (bit 2)" : "1554" + "Unknown specific access (bit 3)" : "1555" + "Unknown specific access (bit 4)" : "1556" + "Unknown specific access (bit 5)" : "1557" + "Unknown specific access (bit 6)" : "1558" + "Unknown specific access (bit 7)" : "1559" + "Unknown specific access (bit 8)" : "1560" + "Unknown specific access (bit 9)" : "1561" + "Unknown specific access (bit 10)" : "1562" + "Unknown specific access (bit 11)" : "1563" + "Unknown specific access (bit 12)" : "1564" + "Unknown specific access (bit 13)" : "1565" + "Unknown specific access (bit 14)" : "1566" + "Unknown specific access (bit 15)" : "1567" + "Not used" : "1601" + "Assign Primary Token Privilege" : "1603" + "Lock Memory Privilege" : "1604" + "Increase Memory Quota Privilege" : "1605" + "Unsolicited Input Privilege" : "1606" + "Trusted Computer Base Privilege" : "1607" + "Security Privilege" : "1608" + "Take Ownership Privilege" : "1609" + "Load/Unload Driver Privilege" : "1610" + "Profile System Privilege" : "1611" + "Set System Time Privilege" : "1612" + "Profile Single Process Privilege" : "1613" + "Increment Base Priority Privilege" : "1614" + "Create Pagefile Privilege" : "1615" + "Create Permanent Object Privilege" : "1616" + "Backup Privilege" : "1617" + "Restore From Backup Privilege" : "1618" + "Shutdown System Privilege" : "1619" + "Debug Privilege" : "1620" + "View or Change Audit Log Privilege" : "1621" + "Change Hardware Environment Privilege" : "1622" + "Change Notify (and Traverse) Privilege" : "1623" + "Remotely Shut System Down Privilege" : "1624" + "" : "1793" + "" : "1794" + "Enabled" : "1795" + "Disabled" : "1796" + "All" : "1797" + "None" : "1798" + "Audit Policy query/set API Operation" : "1799" + "" : "1800" + "Granted by" : "1801" + "Denied by" : "1802" + "Denied by Integrity Policy check" : "1803" + "Granted by Ownership" : "1804" + "Not granted" : "1805" + "Granted by NULL DACL" : "1806" + "Denied by Empty DACL" : "1807" + "Granted by NULL Security Descriptor" : "1808" + "Unknown or unchecked" : "1809" + "Not granted due to missing" : "1810" + "Granted by ACE on parent folder" : "1811" + "Denied by ACE on parent folder" : "1812" + "Granted by Central Access Rule" : "1813" + "NOT Granted by Central Access Rule" : "1814" + "Granted by parent folder's Central Access Rule" : "1815" + "NOT Granted by parent folder's Central Access Rule" : "1816" + "Unknown Type" : "1817" + "String" : "1818" + "Unsigned 64-bit Integer" : "1819" + "64-bit Integer" : "1820" + "FQBN" : "1821" + "Blob" : "1822" + "Sid" : "1823" + "Boolean" : "1824" + "TRUE" : "1825" + "FALSE" : "1826" + "Invalid" : "1827" + "an ACE too long to display" : "1828" + "a Security Descriptor too long to display" : "1829" + "Not granted to AppContainers" : "1830" + "..." : "1831" + "Identification" : "1832" + "Impersonation" : "1833" + "Delegation" : "1840" + "Denied by Process Trust Label ACE" : "1841" + "Yes" : "1842" + "No" : "1843" + "System" : "1844" + "Not Available" : "1845" + "Default" : "1846" + "DisallowMmConfig" : "1847" + "Off" : "1848" + "Auto" : "1849" + "REG_NONE" : "1872" + "REG_SZ" : "1873" + "REG_EXPAND_SZ" : "1874" + "REG_BINARY" : "1875" + "REG_DWORD" : "1876" + "REG_DWORD_BIG_ENDIAN" : "1877" + "REG_LINK" : "1878" + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : "1879" + "REG_RESOURCE_LIST" : "1880" + "REG_FULL_RESOURCE_DESCRIPTOR" : "1881" + "REG_RESOURCE_REQUIREMENTS_LIST" : "1882" + "REG_QWORD" : "1883" + "New registry value created" : "1904" + "Existing registry value modified" : "1905" + "Registry value deleted" : "1906" + "Sunday" : "1920" + "Monday" : "1921" + "Tuesday" : "1922" + "Wednesday" : "1923" + "Thursday" : "1924" + "Friday" : "1925" + "Saturday" : "1926" + "TokenElevationTypeDefault (1)" : "1936" + "TokenElevationTypeFull (2)" : "1937" + "TokenElevationTypeLimited (3)" : "1938" + "Account Enabled" : "2048" + "Home Directory Required' - Disabled" : "2049" + "Password Not Required' - Disabled" : "2050" + "Temp Duplicate Account' - Disabled" : "2051" + "Normal Account' - Disabled" : "2052" + "MNS Logon Account' - Disabled" : "2053" + "Interdomain Trust Account' - Disabled" : "2054" + "Workstation Trust Account' - Disabled" : "2055" + "Server Trust Account' - Disabled" : "2056" + "Don't Expire Password' - Disabled" : "2057" + "Account Unlocked" : "2058" + "Encrypted Text Password Allowed' - Disabled" : "2059" + "Smartcard Required' - Disabled" : "2060" + "Trusted For Delegation' - Disabled" : "2061" + "Not Delegated' - Disabled" : "2062" + "Use DES Key Only' - Disabled" : "2063" + "Don't Require Preauth' - Disabled" : "2064" + "Password Expired' - Disabled" : "2065" + "Trusted To Authenticate For Delegation' - Disabled" : "2066" + "Exclude Authorization Information' - Disabled" : "2067" + "Undefined UserAccountControl Bit 20' - Disabled" : "2068" + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : "2069" + "Undefined UserAccountControl Bit 22' - Disabled" : "2070" + "Undefined UserAccountControl Bit 23' - Disabled" : "2071" + "Undefined UserAccountControl Bit 24' - Disabled" : "2072" + "Undefined UserAccountControl Bit 25' - Disabled" : "2073" + "Undefined UserAccountControl Bit 26' - Disabled" : "2074" + "Undefined UserAccountControl Bit 27' - Disabled" : "2075" + "Undefined UserAccountControl Bit 28' - Disabled" : "2076" + "Undefined UserAccountControl Bit 29' - Disabled" : "2077" + "Undefined UserAccountControl Bit 30' - Disabled" : "2078" + "Undefined UserAccountControl Bit 31' - Disabled" : "2079" + "Account Disabled" : "2080" + "Home Directory Required' - Enabled" : "2081" + "Password Not Required' - Enabled" : "2082" + "Temp Duplicate Account' - Enabled" : "2083" + "Normal Account' - Enabled" : "2084" + "MNS Logon Account' - Enabled" : "2085" + "Interdomain Trust Account' - Enabled" : "2086" + "Workstation Trust Account' - Enabled" : "2087" + "Server Trust Account' - Enabled" : "2088" + "Don't Expire Password' - Enabled" : "2089" + "Account Locked" : "2090" + "Encrypted Text Password Allowed' - Enabled" : "2091" + "Smartcard Required' - Enabled" : "2092" + "Trusted For Delegation' - Enabled" : "2093" + "Not Delegated' - Enabled" : "2094" + "Use DES Key Only' - Enabled" : "2095" + "Don't Require Preauth' - Enabled" : "2096" + "Password Expired' - Enabled" : "2097" + "Trusted To Authenticate For Delegation' - Enabled" : "2098" + "Exclude Authorization Information' - Enabled" : "2099" + "Undefined UserAccountControl Bit 20' - Enabled" : "2100" + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : "2101" + "Undefined UserAccountControl Bit 22' - Enabled" : "2102" + "Undefined UserAccountControl Bit 23' - Enabled" : "2103" + "Undefined UserAccountControl Bit 24' - Enabled" : "2104" + "Undefined UserAccountControl Bit 25' - Enabled" : "2105" + "Undefined UserAccountControl Bit 26' - Enabled" : "2106" + "Undefined UserAccountControl Bit 27' - Enabled" : "2107" + "Undefined UserAccountControl Bit 28' - Enabled" : "2108" + "Undefined UserAccountControl Bit 29' - Enabled" : "2109" + "Undefined UserAccountControl Bit 30' - Enabled" : "2110" + "Undefined UserAccountControl Bit 31' - Enabled" : "2111" + "An Error occured during Logon." : "2304" + "The specified user account has expired." : "2305" + "The NetLogon component is not active." : "2306" + "Account locked out." : "2307" + "The user has not been granted the requested logon type at this machine." : "2308" + "The specified account's password has expired." : "2309" + "Account currently disabled." : "2310" + "Account logon time restriction violation." : "2311" + "User not allowed to logon at this computer." : "2312" + "Unknown user name or bad password." : "2313" + "Domain sid inconsistent." : "2314" + "Smartcard logon is required and was not used." : "2315" + "Not Available." : "2432" + "Random number generator failure." : "2436" + "Random number generation failed FIPS-140 pre-hash check." : "2437" + "Failed to zero secret data." : "2438" + "Key failed pair wise consistency check." : "2439" + "Failed to unprotect persistent cryptographic key." : "2448" + "Key export checks failed." : "2449" + "Validation of public key failed." : "2450" + "Signature verification failed." : "2451" + "Open key file." : "2456" + "Delete key file." : "2457" + "Read persisted key from file." : "2458" + "Write persisted key to file." : "2459" + "Export of persistent cryptographic key." : "2464" + "Import of persistent cryptographic key." : "2465" + "Open Key." : "2480" + "Create Key." : "2481" + "Delete Key." : "2482" + "Encrypt." : "2483" + "Decrypt." : "2484" + "Sign hash." : "2485" + "Secret agreement." : "2486" + "Domain settings" : "2487" + "Local settings" : "2488" + "Add provider." : "2489" + "Remove provider." : "2490" + "Add context." : "2491" + "Remove context." : "2492" + "Add function." : "2493" + "Remove function." : "2494" + "Add function provider." : "2495" + "Remove function provider." : "2496" + "Add function property." : "2497" + "Remove function property." : "2498" + "Machine key." : "2499" + "User key." : "2500" + "Key Derivation." : "2501" + "Device Access Bit 0" : "4352" + "Device Access Bit 1" : "4353" + "Device Access Bit 2" : "4354" + "Device Access Bit 3" : "4355" + "Device Access Bit 4" : "4356" + "Device Access Bit 5" : "4357" + "Device Access Bit 6" : "4358" + "Device Access Bit 7" : "4359" + "Device Access Bit 8" : "4360" + "Undefined Access (no effect) Bit 9" : "4361" + "Undefined Access (no effect) Bit 10" : "4362" + "Undefined Access (no effect) Bit 11" : "4363" + "Undefined Access (no effect) Bit 12" : "4364" + "Undefined Access (no effect) Bit 13" : "4365" + "Undefined Access (no effect) Bit 14" : "4366" + "Undefined Access (no effect) Bit 15" : "4367" + "Query directory" : "4368" + "Traverse" : "4369" + "Create object in directory" : "4370" + "Create sub-directory" : "4371" + "Undefined Access (no effect) Bit 4" : "4372" + "Undefined Access (no effect) Bit 5" : "4373" + "Undefined Access (no effect) Bit 6" : "4374" + "Undefined Access (no effect) Bit 7" : "4375" + "Undefined Access (no effect) Bit 8" : "4376" + "Undefined Access (no effect) Bit 9" : "4377" + "Undefined Access (no effect) Bit 10" : "4378" + "Undefined Access (no effect) Bit 11" : "4379" + "Undefined Access (no effect) Bit 12" : "4380" + "Undefined Access (no effect) Bit 13" : "4381" + "Undefined Access (no effect) Bit 14" : "4382" + "Undefined Access (no effect) Bit 15" : "4383" + "Query event state" : "4384" + "Modify event state" : "4385" + "Undefined Access (no effect) Bit 2" : "4386" + "Undefined Access (no effect) Bit 3" : "4387" + "Undefined Access (no effect) Bit 4" : "4388" + "Undefined Access (no effect) Bit 5" : "4389" + "Undefined Access (no effect) Bit 6" : "4390" + "Undefined Access (no effect) Bit 7" : "4391" + "Undefined Access (no effect) Bit 8" : "4392" + "Undefined Access (no effect) Bit 9" : "4393" + "Undefined Access (no effect) Bit 10" : "4394" + "Undefined Access (no effect) Bit 11" : "4395" + "Undefined Access (no effect) Bit 12" : "4396" + "Undefined Access (no effect) Bit 13" : "4397" + "Undefined Access (no effect) Bit 14" : "4398" + "Undefined Access (no effect) Bit 15" : "4399" + "ReadData (or ListDirectory)" : "4416" + "WriteData (or AddFile)" : "4417" + "AppendData (or AddSubdirectory or CreatePipeInstance)" : "4418" + "ReadEA" : "4419" + "WriteEA" : "4420" + "Execute/Traverse" : "4421" + "DeleteChild" : "4422" + "ReadAttributes" : "4423" + "WriteAttributes" : "4424" + "Undefined Access (no effect) Bit 9" : "4425" + "Undefined Access (no effect) Bit 10" : "4426" + "Undefined Access (no effect) Bit 11" : "4427" + "Undefined Access (no effect) Bit 12" : "4428" + "Undefined Access (no effect) Bit 13" : "4429" + "Undefined Access (no effect) Bit 14" : "4430" + "Undefined Access (no effect) Bit 15" : "4431" + "Query key value" : "4432" + "Set key value" : "4433" + "Create sub-key" : "4434" + "Enumerate sub-keys" : "4435" + "Notify about changes to keys" : "4436" + "Create Link" : "4437" + "Undefined Access (no effect) Bit 6" : "4438" + "Undefined Access (no effect) Bit 7" : "4439" + "Enable 64(or 32) bit application to open 64 bit key" : "4440" + "Enable 64(or 32) bit application to open 32 bit key" : "4441" + "Undefined Access (no effect) Bit 10" : "4442" + "Undefined Access (no effect) Bit 11" : "4443" + "Undefined Access (no effect) Bit 12" : "4444" + "Undefined Access (no effect) Bit 13" : "4445" + "Undefined Access (no effect) Bit 14" : "4446" + "Undefined Access (no effect) Bit 15" : "4447" + "Query mutant state" : "4448" + "Undefined Access (no effect) Bit 1" : "4449" + "Undefined Access (no effect) Bit 2" : "4450" + "Undefined Access (no effect) Bit 3" : "4451" + "Undefined Access (no effect) Bit 4" : "4452" + "Undefined Access (no effect) Bit 5" : "4453" + "Undefined Access (no effect) Bit 6" : "4454" + "Undefined Access (no effect) Bit 7" : "4455" + "Undefined Access (no effect) Bit 8" : "4456" + "Undefined Access (no effect) Bit 9" : "4457" + "Undefined Access (no effect) Bit 10" : "4458" + "Undefined Access (no effect) Bit 11" : "4459" + "Undefined Access (no effect) Bit 12" : "4460" + "Undefined Access (no effect) Bit 13" : "4461" + "Undefined Access (no effect) Bit 14" : "4462" + "Undefined Access (no effect) Bit 15" : "4463" + "Communicate using port" : "4464" + "Undefined Access (no effect) Bit 1" : "4465" + "Undefined Access (no effect) Bit 2" : "4466" + "Undefined Access (no effect) Bit 3" : "4467" + "Undefined Access (no effect) Bit 4" : "4468" + "Undefined Access (no effect) Bit 5" : "4469" + "Undefined Access (no effect) Bit 6" : "4470" + "Undefined Access (no effect) Bit 7" : "4471" + "Undefined Access (no effect) Bit 8" : "4472" + "Undefined Access (no effect) Bit 9" : "4473" + "Undefined Access (no effect) Bit 10" : "4474" + "Undefined Access (no effect) Bit 11" : "4475" + "Undefined Access (no effect) Bit 12" : "4476" + "Undefined Access (no effect) Bit 13" : "4477" + "Undefined Access (no effect) Bit 14" : "4478" + "Undefined Access (no effect) Bit 15" : "4479" + "Force process termination" : "4480" + "Create new thread in process" : "4481" + "Set process session ID" : "4482" + "Perform virtual memory operation" : "4483" + "Read from process memory" : "4484" + "Write to process memory" : "4485" + "Duplicate handle into or out of process" : "4486" + "Create a subprocess of process" : "4487" + "Set process quotas" : "4488" + "Set process information" : "4489" + "Query process information" : "4490" + "Set process termination port" : "4491" + "Undefined Access (no effect) Bit 12" : "4492" + "Undefined Access (no effect) Bit 13" : "4493" + "Undefined Access (no effect) Bit 14" : "4494" + "Undefined Access (no effect) Bit 15" : "4495" + "Control profile" : "4496" + "Undefined Access (no effect) Bit 1" : "4497" + "Undefined Access (no effect) Bit 2" : "4498" + "Undefined Access (no effect) Bit 3" : "4499" + "Undefined Access (no effect) Bit 4" : "4500" + "Undefined Access (no effect) Bit 5" : "4501" + "Undefined Access (no effect) Bit 6" : "4502" + "Undefined Access (no effect) Bit 7" : "4503" + "Undefined Access (no effect) Bit 8" : "4504" + "Undefined Access (no effect) Bit 9" : "4505" + "Undefined Access (no effect) Bit 10" : "4506" + "Undefined Access (no effect) Bit 11" : "4507" + "Undefined Access (no effect) Bit 12" : "4508" + "Undefined Access (no effect) Bit 13" : "4509" + "Undefined Access (no effect) Bit 14" : "4510" + "Undefined Access (no effect) Bit 15" : "4511" + "Query section state" : "4512" + "Map section for write" : "4513" + "Map section for read" : "4514" + "Map section for execute" : "4515" + "Extend size" : "4516" + "Undefined Access (no effect) Bit 5" : "4517" + "Undefined Access (no effect) Bit 6" : "4518" + "Undefined Access (no effect) Bit 7" : "4519" + "Undefined Access (no effect) Bit 8" : "4520" + "Undefined Access (no effect) Bit 9" : "4521" + "Undefined Access (no effect) Bit 10" : "4522" + "Undefined Access (no effect) Bit 11" : "4523" + "Undefined Access (no effect) Bit 12" : "4524" + "Undefined Access (no effect) Bit 13" : "4525" + "Undefined Access (no effect) Bit 14" : "4526" + "Undefined Access (no effect) Bit 15" : "4527" + "Query semaphore state" : "4528" + "Modify semaphore state" : "4529" + "Undefined Access (no effect) Bit 2" : "4530" + "Undefined Access (no effect) Bit 3" : "4531" + "Undefined Access (no effect) Bit 4" : "4532" + "Undefined Access (no effect) Bit 5" : "4533" + "Undefined Access (no effect) Bit 6" : "4534" + "Undefined Access (no effect) Bit 7" : "4535" + "Undefined Access (no effect) Bit 8" : "4536" + "Undefined Access (no effect) Bit 9" : "4537" + "Undefined Access (no effect) Bit 10" : "4538" + "Undefined Access (no effect) Bit 11" : "4539" + "Undefined Access (no effect) Bit 12" : "4540" + "Undefined Access (no effect) Bit 13" : "4541" + "Undefined Access (no effect) Bit 14" : "4542" + "Undefined Access (no effect) Bit 15" : "4543" + "Use symbolic link" : "4544" + "Undefined Access (no effect) Bit 1" : "4545" + "Undefined Access (no effect) Bit 2" : "4546" + "Undefined Access (no effect) Bit 3" : "4547" + "Undefined Access (no effect) Bit 4" : "4548" + "Undefined Access (no effect) Bit 5" : "4549" + "Undefined Access (no effect) Bit 6" : "4550" + "Undefined Access (no effect) Bit 7" : "4551" + "Undefined Access (no effect) Bit 8" : "4552" + "Undefined Access (no effect) Bit 9" : "4553" + "Undefined Access (no effect) Bit 10" : "4554" + "Undefined Access (no effect) Bit 11" : "4555" + "Undefined Access (no effect) Bit 12" : "4556" + "Undefined Access (no effect) Bit 13" : "4557" + "Undefined Access (no effect) Bit 14" : "4558" + "Undefined Access (no effect) Bit 15" : "4559" + "Force thread termination" : "4560" + "Suspend or resume thread" : "4561" + "Send an alert to thread" : "4562" + "Get thread context" : "4563" + "Set thread context" : "4564" + "Set thread information" : "4565" + "Query thread information" : "4566" + "Assign a token to the thread" : "4567" + "Cause thread to directly impersonate another thread" : "4568" + "Directly impersonate this thread" : "4569" + "Undefined Access (no effect) Bit 10" : "4570" + "Undefined Access (no effect) Bit 11" : "4571" + "Undefined Access (no effect) Bit 12" : "4572" + "Undefined Access (no effect) Bit 13" : "4573" + "Undefined Access (no effect) Bit 14" : "4574" + "Undefined Access (no effect) Bit 15" : "4575" + "Query timer state" : "4576" + "Modify timer state" : "4577" + "Undefined Access (no effect) Bit 2" : "4578" + "Undefined Access (no effect) Bit 3" : "4579" + "Undefined Access (no effect) Bit 4" : "4580" + "Undefined Access (no effect) Bit 5" : "4581" + "Undefined Access (no effect) Bit 6" : "4582" + "Undefined Access (no effect) Bit 8" : "4584" + "Undefined Access (no effect) Bit 9" : "4585" + "Undefined Access (no effect) Bit 10" : "4586" + "Undefined Access (no effect) Bit 11" : "4587" + "Undefined Access (no effect) Bit 12" : "4588" + "Undefined Access (no effect) Bit 13" : "4589" + "Undefined Access (no effect) Bit 14" : "4590" + "Undefined Access (no effect) Bit 15" : "4591" + "AssignAsPrimary" : "4592" + "Duplicate" : "4593" + "Impersonate" : "4594" + "Query" : "4595" + "QuerySource" : "4596" + "AdjustPrivileges" : "4597" + "AdjustGroups" : "4598" + "AdjustDefaultDacl" : "4599" + "AdjustSessionID" : "4600" + "Undefined Access (no effect) Bit 9" : "4601" + "Undefined Access (no effect) Bit 10" : "4602" + "Undefined Access (no effect) Bit 11" : "4603" + "Undefined Access (no effect) Bit 12" : "4604" + "Undefined Access (no effect) Bit 13" : "4605" + "Undefined Access (no effect) Bit 14" : "4606" + "Undefined Access (no effect) Bit 15" : "4607" + "Create instance of object type" : "4608" + "Undefined Access (no effect) Bit 1" : "4609" + "Undefined Access (no effect) Bit 2" : "4610" + "Undefined Access (no effect) Bit 3" : "4611" + "Undefined Access (no effect) Bit 4" : "4612" + "Undefined Access (no effect) Bit 5" : "4613" + "Undefined Access (no effect) Bit 6" : "4614" + "Undefined Access (no effect) Bit 7" : "4615" + "Undefined Access (no effect) Bit 8" : "4616" + "Undefined Access (no effect) Bit 9" : "4617" + "Undefined Access (no effect) Bit 10" : "4618" + "Undefined Access (no effect) Bit 11" : "4619" + "Undefined Access (no effect) Bit 12" : "4620" + "Undefined Access (no effect) Bit 13" : "4621" + "Undefined Access (no effect) Bit 14" : "4622" + "Undefined Access (no effect) Bit 15" : "4623" + "Query State" : "4864" + "Modify State" : "4865" + "Channel read message" : "5120" + "Channel write message" : "5121" + "Channel query information" : "5122" + "Channel set information" : "5123" + "Undefined Access (no effect) Bit 4" : "5124" + "Undefined Access (no effect) Bit 5" : "5125" + "Undefined Access (no effect) Bit 6" : "5126" + "Undefined Access (no effect) Bit 7" : "5127" + "Undefined Access (no effect) Bit 8" : "5128" + "Undefined Access (no effect) Bit 9" : "5129" + "Undefined Access (no effect) Bit 10" : "5130" + "Undefined Access (no effect) Bit 11" : "5131" + "Undefined Access (no effect) Bit 12" : "5132" + "Undefined Access (no effect) Bit 13" : "5133" + "Undefined Access (no effect) Bit 14" : "5134" + "Undefined Access (no effect) Bit 15" : "5135" + "Assign process" : "5136" + "Set Attributes" : "5137" + "Query Attributes" : "5138" + "Terminate Job" : "5139" + "Set Security Attributes" : "5140" + "Undefined Access (no effect) Bit 5" : "5141" + "Undefined Access (no effect) Bit 6" : "5142" + "Undefined Access (no effect) Bit 7" : "5143" + "Undefined Access (no effect) Bit 8" : "5144" + "Undefined Access (no effect) Bit 9" : "5145" + "Undefined Access (no effect) Bit 10" : "5146" + "Undefined Access (no effect) Bit 11" : "5147" + "Undefined Access (no effect) Bit 12" : "5148" + "Undefined Access (no effect) Bit 13" : "5149" + "Undefined Access (no effect) Bit 14" : "5150" + "Undefined Access (no effect) Bit 15" : "5151" + "ConnectToServer" : "5376" + "ShutdownServer" : "5377" + "InitializeServer" : "5378" + "CreateDomain" : "5379" + "EnumerateDomains" : "5380" + "LookupDomain" : "5381" + "Undefined Access (no effect) Bit 6" : "5382" + "Undefined Access (no effect) Bit 7" : "5383" + "Undefined Access (no effect) Bit 8" : "5384" + "Undefined Access (no effect) Bit 9" : "5385" + "Undefined Access (no effect) Bit 10" : "5386" + "Undefined Access (no effect) Bit 11" : "5387" + "Undefined Access (no effect) Bit 12" : "5388" + "Undefined Access (no effect) Bit 13" : "5389" + "Undefined Access (no effect) Bit 14" : "5390" + "Undefined Access (no effect) Bit 15" : "5391" + "ReadPasswordParameters" : "5392" + "WritePasswordParameters" : "5393" + "ReadOtherParameters" : "5394" + "WriteOtherParameters" : "5395" + "CreateUser" : "5396" + "CreateGlobalGroup" : "5397" + "CreateLocalGroup" : "5398" + "GetLocalGroupMembership" : "5399" + "ListAccounts" : "5400" + "LookupIDs" : "5401" + "AdministerServer" : "5402" + "Undefined Access (no effect) Bit 11" : "5403" + "Undefined Access (no effect) Bit 12" : "5404" + "Undefined Access (no effect) Bit 13" : "5405" + "Undefined Access (no effect) Bit 14" : "5406" + "Undefined Access (no effect) Bit 15" : "5407" + "ReadInformation" : "5408" + "WriteAccount" : "5409" + "AddMember" : "5410" + "RemoveMember" : "5411" + "ListMembers" : "5412" + "Undefined Access (no effect) Bit 5" : "5413" + "Undefined Access (no effect) Bit 6" : "5414" + "Undefined Access (no effect) Bit 7" : "5415" + "Undefined Access (no effect) Bit 8" : "5416" + "Undefined Access (no effect) Bit 9" : "5417" + "Undefined Access (no effect) Bit 10" : "5418" + "Undefined Access (no effect) Bit 11" : "5419" + "Undefined Access (no effect) Bit 12" : "5420" + "Undefined Access (no effect) Bit 13" : "5421" + "Undefined Access (no effect) Bit 14" : "5422" + "Undefined Access (no effect) Bit 15" : "5423" + "AddMember" : "5424" + "RemoveMember" : "5425" + "ListMembers" : "5426" + "ReadInformation" : "5427" + "WriteAccount" : "5428" + "Undefined Access (no effect) Bit 5" : "5429" + "Undefined Access (no effect) Bit 6" : "5430" + "Undefined Access (no effect) Bit 7" : "5431" + "Undefined Access (no effect) Bit 8" : "5432" + "Undefined Access (no effect) Bit 9" : "5433" + "Undefined Access (no effect) Bit 10" : "5434" + "Undefined Access (no effect) Bit 11" : "5435" + "Undefined Access (no effect) Bit 12" : "5436" + "Undefined Access (no effect) Bit 13" : "5437" + "Undefined Access (no effect) Bit 14" : "5438" + "Undefined Access (no effect) Bit 15" : "5439" + "ReadGeneralInformation" : "5440" + "ReadPreferences" : "5441" + "WritePreferences" : "5442" + "ReadLogon" : "5443" + "ReadAccount" : "5444" + "WriteAccount" : "5445" + "ChangePassword (with knowledge of old password)" : "5446" + "SetPassword (without knowledge of old password)" : "5447" + "ListGroups" : "5448" + "ReadGroupMembership" : "5449" + "ChangeGroupMembership" : "5450" + "Undefined Access (no effect) Bit 11" : "5451" + "Undefined Access (no effect) Bit 12" : "5452" + "Undefined Access (no effect) Bit 13" : "5453" + "Undefined Access (no effect) Bit 14" : "5454" + "Undefined Access (no effect) Bit 15" : "5455" + "View non-sensitive policy information" : "5632" + "View system audit requirements" : "5633" + "Get sensitive policy information" : "5634" + "Modify domain trust relationships" : "5635" + "Create special accounts (for assignment of user rights)" : "5636" + "Create a secret object" : "5637" + "Create a privilege" : "5638" + "Set default quota limits" : "5639" + "Change system audit requirements" : "5640" + "Administer audit log attributes" : "5641" + "Enable/Disable LSA" : "5642" + "Lookup Names/SIDs" : "5643" + "Change secret value" : "5648" + "Query secret value" : "5649" + "Undefined Access (no effect) Bit 2" : "5650" + "Undefined Access (no effect) Bit 3" : "5651" + "Undefined Access (no effect) Bit 4" : "5652" + "Undefined Access (no effect) Bit 5" : "5653" + "Undefined Access (no effect) Bit 6" : "5654" + "Undefined Access (no effect) Bit 7" : "5655" + "Undefined Access (no effect) Bit 8" : "5656" + "Undefined Access (no effect) Bit 9" : "5657" + "Undefined Access (no effect) Bit 10" : "5658" + "Undefined Access (no effect) Bit 11" : "5659" + "Undefined Access (no effect) Bit 12" : "5660" + "Undefined Access (no effect) Bit 13" : "5661" + "Undefined Access (no effect) Bit 14" : "5662" + "Undefined Access (no effect) Bit 15" : "5663" + "Query trusted domain name/SID" : "5664" + "Retrieve the controllers in the trusted domain" : "5665" + "Change the controllers in the trusted domain" : "5666" + "Query the Posix ID offset assigned to the trusted domain" : "5667" + "Change the Posix ID offset assigned to the trusted domain" : "5668" + "Undefined Access (no effect) Bit 5" : "5669" + "Undefined Access (no effect) Bit 6" : "5670" + "Undefined Access (no effect) Bit 7" : "5671" + "Undefined Access (no effect) Bit 8" : "5672" + "Undefined Access (no effect) Bit 9" : "5673" + "Undefined Access (no effect) Bit 10" : "5674" + "Undefined Access (no effect) Bit 11" : "5675" + "Undefined Access (no effect) Bit 12" : "5676" + "Undefined Access (no effect) Bit 13" : "5677" + "Undefined Access (no effect) Bit 14" : "5678" + "Undefined Access (no effect) Bit 15" : "5679" + "Query account information" : "5680" + "Change privileges assigned to account" : "5681" + "Change quotas assigned to account" : "5682" + "Change logon capabilities assigned to account" : "5683" + "Change the Posix ID offset assigned to the accounted domain" : "5684" + "Undefined Access (no effect) Bit 5" : "5685" + "Undefined Access (no effect) Bit 6" : "5686" + "Undefined Access (no effect) Bit 7" : "5687" + "Undefined Access (no effect) Bit 8" : "5688" + "Undefined Access (no effect) Bit 9" : "5689" + "Undefined Access (no effect) Bit 10" : "5690" + "Undefined Access (no effect) Bit 11" : "5691" + "Undefined Access (no effect) Bit 12" : "5692" + "Undefined Access (no effect) Bit 13" : "5693" + "Undefined Access (no effect) Bit 14" : "5694" + "Undefined Access (no effect) Bit 15" : "5695" + "KeyedEvent Wait" : "5696" + "KeyedEvent Wake" : "5697" + "Undefined Access (no effect) Bit 2" : "5698" + "Undefined Access (no effect) Bit 3" : "5699" + "Undefined Access (no effect) Bit 4" : "5700" + "Undefined Access (no effect) Bit 5" : "5701" + "Undefined Access (no effect) Bit 6" : "5702" + "Undefined Access (no effect) Bit 7" : "5703" + "Undefined Access (no effect) Bit 8" : "5704" + "Undefined Access (no effect) Bit 9" : "5705" + "Undefined Access (no effect) Bit 10" : "5706" + "Undefined Access (no effect) Bit 11" : "5707" + "Undefined Access (no effect) Bit 12" : "5708" + "Undefined Access (no effect) Bit 13" : "5709" + "Undefined Access (no effect) Bit 14" : "5710" + "Undefined Access (no effect) Bit 15" : "5711" + "Enumerate desktops" : "6656" + "Read attributes" : "6657" + "Access Clipboard" : "6658" + "Create desktop" : "6659" + "Write attributes" : "6660" + "Access global atoms" : "6661" + "Exit windows" : "6662" + "Unused Access Flag" : "6663" + "Include this windowstation in enumerations" : "6664" + "Read screen" : "6665" + "Read Objects" : "6672" + "Create window" : "6673" + "Create menu" : "6674" + "Hook control" : "6675" + "Journal (record)" : "6676" + "Journal (playback)" : "6677" + "Include this desktop in enumerations" : "6678" + "Write objects" : "6679" + "Switch to this desktop" : "6680" + "Administer print server" : "6912" + "Enumerate printers" : "6913" + "Full Control" : "6930" + "Print" : "6931" + "Administer Document" : "6948" + "Connect to service controller" : "7168" + "Create a new service" : "7169" + "Enumerate services" : "7170" + "Lock service database for exclusive access" : "7171" + "Query service database lock state" : "7172" + "Set last-known-good state of service database" : "7173" + "Query service configuration information" : "7184" + "Set service configuration information" : "7185" + "Query status of service" : "7186" + "Enumerate dependencies of service" : "7187" + "Start the service" : "7188" + "Stop the service" : "7189" + "Pause or continue the service" : "7190" + "Query information from service" : "7191" + "Issue service-specific control commands" : "7192" + "DDE Share Read" : "7424" + "DDE Share Write" : "7425" + "DDE Share Initiate Static" : "7426" + "DDE Share Initiate Link" : "7427" + "DDE Share Request" : "7428" + "DDE Share Advise" : "7429" + "DDE Share Poke" : "7430" + "DDE Share Execute" : "7431" + "DDE Share Add Items" : "7432" + "DDE Share List Items" : "7433" + "Create Child" : "7680" + "Delete Child" : "7681" + "List Contents" : "7682" + "Write Self" : "7683" + "Read Property" : "7684" + "Write Property" : "7685" + "Delete Tree" : "7686" + "List Object" : "7687" + "Control Access" : "7688" + "Undefined Access (no effect) Bit 9" : "7689" + "Undefined Access (no effect) Bit 10" : "7690" + "Undefined Access (no effect) Bit 11" : "7691" + "Undefined Access (no effect) Bit 12" : "7692" + "Undefined Access (no effect) Bit 13" : "7693" + "Undefined Access (no effect) Bit 14" : "7694" + "Undefined Access (no effect) Bit 15" : "7695" + "Audit Set System Policy" : "7936" + "Audit Query System Policy" : "7937" + "Audit Set Per User Policy" : "7938" + "Audit Query Per User Policy" : "7939" + "Audit Enumerate Users" : "7940" + "Audit Set Options" : "7941" + "Audit Query Options" : "7942" + "Port sharing (read)" : "8064" + "Port sharing (write)" : "8065" + "Default credentials" : "8096" + "Credentials manager" : "8097" + "Fresh credentials" : "8098" + "Kerberos" : "8192" + "Preshared key" : "8193" + "Unknown authentication" : "8194" + "DES" : "8195" + "3DES" : "8196" + "MD5" : "8197" + "SHA1" : "8198" + "Local computer" : "8199" + "Remote computer" : "8200" + "No state" : "8201" + "Sent first (SA) payload" : "8202" + "Sent second (KE) payload" : "8203" + "Sent third (ID) payload" : "8204" + "Initiator" : "8205" + "Responder" : "8206" + "No state" : "8207" + "Sent first (SA) payload" : "8208" + "Sent final payload" : "8209" + "Complete" : "8210" + "Unknown" : "8211" + "Transport" : "8212" + "Tunnel" : "8213" + "IKE/AuthIP DoS prevention mode started" : "8214" + "IKE/AuthIP DoS prevention mode stopped" : "8215" + "Enabled" : "8216" + "Not enabled" : "8217" + "No state" : "8218" + "Sent first (EM attributes) payload" : "8219" + "Sent second (SSPI) payload" : "8220" + "Sent third (hash) payload" : "8221" + "IKEv1" : "8222" + "AuthIP" : "8223" + "Anonymous" : "8224" + "NTLM V2" : "8225" + "CGA" : "8226" + "Certificate" : "8227" + "SSL" : "8228" + "None" : "8229" + "DH group 1" : "8230" + "DH group 2" : "8231" + "DH group 14" : "8232" + "DH group ECP 256" : "8233" + "DH group ECP 384" : "8234" + "AES-128" : "8235" + "AES-192" : "8236" + "AES-256" : "8237" + "Certificate ECDSA P256" : "8238" + "Certificate ECDSA P384" : "8239" + "SSL ECDSA P256" : "8240" + "SSL ECDSA P384" : "8241" + "SHA 256" : "8242" + "SHA 384" : "8243" + "IKEv2" : "8244" + "EAP payload sent" : "8245" + "Authentication payload sent" : "8246" + "EAP" : "8247" + "DH group 24" : "8248" + "System" : "8272" + "Logon/Logoff" : "8273" + "Object Access" : "8274" + "Privilege Use" : "8275" + "Detailed Tracking" : "8276" + "Policy Change" : "8277" + "Account Management" : "8278" + "DS Access" : "8279" + "Account Logon" : "8280" + "Success removed" : "8448" + "Success Added" : "8449" + "Failure removed" : "8450" + "Failure Added" : "8451" + "Success include removed" : "8452" + "Success include added" : "8453" + "Success exclude removed" : "8454" + "Success exclude added" : "8455" + "Failure include removed" : "8456" + "Failure include added" : "8457" + "Failure exclude removed" : "8458" + "Failure exclude added" : "8459" + "Security State Change" : "12288" + "Security System Extension" : "12289" + "System Integrity" : "12290" + "IPsec Driver" : "12291" + "Other System Events" : "12292" + "Logon" : "12544" + "Logoff" : "12545" + "Account Lockout" : "12546" + "IPsec Main Mode" : "12547" + "Special Logon" : "12548" + "IPsec Quick Mode" : "12549" + "IPsec Extended Mode" : "12550" + "Other Logon/Logoff Events" : "12551" + "Network Policy Server" : "12552" + "User / Device Claims" : "12553" + "Group Membership" : "12554" + "File System" : "12800" + "Registry" : "12801" + "Kernel Object" : "12802" + "SAM" : "12803" + "Other Object Access Events" : "12804" + "Certification Services" : "12805" + "Application Generated" : "12806" + "Handle Manipulation" : "12807" + "File Share" : "12808" + "Filtering Platform Packet Drop" : "12809" + "Filtering Platform Connection" : "12810" + "Detailed File Share" : "12811" + "Removable Storage" : "12812" + "Central Policy Staging" : "12813" + "Sensitive Privilege Use" : "13056" + "Non Sensitive Privilege Use" : "13057" + "Other Privilege Use Events" : "13058" + "Process Creation" : "13312" + "Process Termination" : "13313" + "DPAPI Activity" : "13314" + "RPC Events" : "13315" + "Plug and Play Events" : "13316" + "Token Right Adjusted Events" : "13317" + "Audit Policy Change" : "13568" + "Authentication Policy Change" : "13569" + "Authorization Policy Change" : "13570" + "MPSSVC Rule-Level Policy Change" : "13571" + "Filtering Platform Policy Change" : "13572" + "Other Policy Change Events" : "13573" + "User Account Management" : "13824" + "Computer Account Management" : "13825" + "Security Group Management" : "13826" + "Distribution Group Management" : "13827" + "Application Group Management" : "13828" + "Other Account Management Events" : "13829" + "Directory Service Access" : "14080" + "Directory Service Changes" : "14081" + "Directory Service Replication" : "14082" + "Detailed Directory Service Replication" : "14083" + "Credential Validation" : "14336" + "Kerberos Service Ticket Operations" : "14337" + "Other Account Logon Events" : "14338" + "Kerberos Authentication Service" : "14339" + "Inbound" : "14592" + "Outbound" : "14593" + "Forward" : "14594" + "Bidirectional" : "14595" + "IP Packet" : "14596" + "Transport" : "14597" + "Forward" : "14598" + "Stream" : "14599" + "Datagram Data" : "14600" + "ICMP Error" : "14601" + "MAC 802.3" : "14602" + "MAC Native" : "14603" + "vSwitch" : "14604" + "Resource Assignment" : "14608" + "Listen" : "14609" + "Receive/Accept" : "14610" + "Connect" : "14611" + "Flow Established" : "14612" + "Resource Release" : "14614" + "Endpoint Closure" : "14615" + "Connect Redirect" : "14616" + "Bind Redirect" : "14617" + "Stream Packet" : "14624" + "ICMP Echo-Request" : "14640" + "vSwitch Ingress" : "14641" + "vSwitch Egress" : "14642" + "" : "14672" + "[NULL]" : "14673" + "Value Added" : "14674" + "Value Deleted" : "14675" + "Active Directory Domain Services" : "14676" + "Active Directory Lightweight Directory Services" : "14677" + "Yes" : "14678" + "No" : "14679" + "Value Added With Expiration Time" : "14680" + "Value Deleted With Expiration Time" : "14681" + "Value Auto Deleted With Expiration Time" : "14688" + "Add" : "16384" + "Delete" : "16385" + "Boot-time" : "16386" + "Persistent" : "16387" + "Not persistent" : "16388" + "Block" : "16389" + "Permit" : "16390" + "Callout" : "16391" + "MD5" : "16392" + "SHA-1" : "16393" + "SHA-256" : "16394" + "AES-GCM 128" : "16395" + "AES-GCM 192" : "16396" + "AES-GCM 256" : "16397" + "DES" : "16398" + "3DES" : "16399" + "AES-128" : "16400" + "AES-192" : "16401" + "AES-256" : "16402" + "Transport" : "16403" + "Tunnel" : "16404" + "Responder" : "16405" + "Initiator" : "16406" + "AES-GMAC 128" : "16407" + "AES-GMAC 192" : "16408" + "AES-GMAC 256" : "16409" + "AuthNoEncap Transport" : "16416" + "Enable WMI Account" : "16896" + "Execute Method" : "16897" + "Full Write" : "16898" + "Partial Write" : "16899" + "Provider Write" : "16900" + "Remote Access" : "16901" + "Subscribe" : "16902" + "Publish" : "16903" AccessMaskDescriptions: "0x00000001": Create Child "0x00000002": Delete Child @@ -2164,7 +3135,11 @@ processors: if (ctx?.winlog?.event_data?.FailureReason != null) { def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - if (params.descriptions.containsKey(code)) { + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { if (ctx?.winlog?.logon == null ) { HashMap hm = new HashMap(); ctx.winlog.put("logon", hm); @@ -2173,7 +3148,7 @@ processors: HashMap hm = new HashMap(); ctx.winlog.logon.put("failure", hm); } - ctx.winlog.logon.failure.put("reason", params.descriptions[code]); + ctx.winlog.logon.failure.put("reason", desc); } } if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { @@ -2182,6 +3157,8 @@ processors: def code = elem.replace("%%","").trim(); if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); + } else { + results.add(code); } } if (results.length > 0) { @@ -2194,6 +3171,8 @@ processors: def code = elem.replace("%%","").trim(); if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); + } else { + results.add(code); } } if (results.length > 0) { @@ -2207,9 +3186,17 @@ processors: if (elem.length() == 0) { continue; } - list.add(elem); def code = elem.replace("%%","").trim(); - accessMask |= Long.decode(code).longValue(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + code = params.reversed_descriptions[code]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} } if (list.length > 0) { ctx.winlog.event_data.put("AccessMask", list);