Skip to content

Instantly share code, notes, and snippets.

@unndrstr

unndrstr/Elastic-Agent.yml Secret

Created July 7, 2021 13:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save unndrstr/4c074a5e00ef9b71a2a3135f0ef9efda to your computer and use it in GitHub Desktop.
Save unndrstr/4c074a5e00ef9b71a2a3135f0ef9efda to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Elastic-Agent.yml
id: 81cf0f10-dd8d-11eb-a26c-8d9637e37a6c
revision: 2
outputs:
default:
type: elasticsearch
hosts:
- 'http://localhost:9200'
username: elastic
password: password
agent:
monitoring:
enabled: true
use_output: default
logs: true
metrics: true
inputs:
- id: 59f6c6b5-6418-4125-9daa-9853f8c77855
name: system-1
revision: 1
type: logfile
use_output: default
meta:
package:
name: system
version: 0.10.9
data_stream:
namespace: name
streams:
- id: logfile-system.auth-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.auth
type: logs
paths:
- /var/log/auth.log*
- /var/log/secure*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
- id: logfile-system.syslog-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.syslog
type: logs
paths:
- /var/log/messages*
- /var/log/syslog*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
- id: 59f6c6b5-6418-4125-9daa-9853f8c77855
name: system-1
revision: 1
type: winlog
use_output: default
meta:
package:
name: system
version: 0.10.9
data_stream:
namespace: kirby
streams:
- id: winlog-system.application-59f6c6b5-6418-4125-9daa-9853f8c77855
name: Application
data_stream:
dataset: system.application
type: logs
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- id: winlog-system.system-59f6c6b5-6418-4125-9daa-9853f8c77855
name: System
data_stream:
dataset: system.system
type: logs
condition: '${host.platform} == ''windows'''
- id: winlog-system.security-59f6c6b5-6418-4125-9daa-9853f8c77855
name: Security
data_stream:
dataset: system.security
type: logs
condition: '${host.platform} == ''windows'''
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.6.0
- script:
id: security
lang: javascript
source: >-
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch
B.V. under one
// or more contributor license agreements. Licensed under the
Elastic License;
// you may not use this file except in compliance with the
Elastic License.
var security = (function () {
var path = require("path");
var processor = require("processor");
var windows = require("windows");
// Logon Types
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
var logonTypes = {
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
};
// User Account Control Attributes Table
// https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
var uacFlags = [
[0x0001, 'SCRIPT'],
[0x0002, 'ACCOUNTDISABLE'],
[0x0008, 'HOMEDIR_REQUIRED'],
[0x0010, 'LOCKOUT'],
[0x0020, 'PASSWD_NOTREQD'],
[0x0040, 'PASSWD_CANT_CHANGE'],
[0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'],
[0x0100, 'TEMP_DUPLICATE_ACCOUNT'],
[0x0200, 'NORMAL_ACCOUNT'],
[0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'],
[0x1000, 'WORKSTATION_TRUST_ACCOUNT'],
[0x2000, 'SERVER_TRUST_ACCOUNT'],
[0x10000, 'DONT_EXPIRE_PASSWORD'],
[0x20000, 'MNS_LOGON_ACCOUNT'],
[0x40000, 'SMARTCARD_REQUIRED'],
[0x80000, 'TRUSTED_FOR_DELEGATION'],
[0x100000, 'NOT_DELEGATED'],
[0x200000, 'USE_DES_KEY_ONLY'],
[0x400000, 'DONT_REQ_PREAUTH'],
[0x800000, 'PASSWORD_EXPIRED'],
[0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'],
[0x04000000, 'PARTIAL_SECRETS_ACCOUNT'],
];
// Kerberos TGT and TGS Ticket Options
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
var ticketOptions = [
"Reserved",
"Forwardable",
"Forwarded",
"Proxiable",
"Proxy",
"Allow-postdate",
"Postdated",
"Invalid",
"Renewable",
"Initial",
"Pre-authent",
"Opt-hardware-auth",
"Transited-policy-checked",
"Ok-as-delegate",
"Request-anonymous",
"Name-canonicalize",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Unused",
"Disable-transited-check",
"Renewable-ok",
"Enc-tkt-in-skey",
"Unused",
"Renew",
"Validate"];
// Kerberos Encryption Types
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
var ticketEncryptionTypes = {
"0x1": "DES-CBC-CRC",
"0x3": "DES-CBC-MD5",
"0x11": "AES128-CTS-HMAC-SHA1-96",
"0x12": "AES256-CTS-HMAC-SHA1-96",
"0x17": "RC4-HMAC",
"0x18": "RC4-HMAC-EXP",
"0xffffffff": "FAIL",
};
// Kerberos Result Status Codes
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
var kerberosTktStatusCodes = {
"0x0": "KDC_ERR_NONE",
"0x1": "KDC_ERR_NAME_EXP",
"0x2": "KDC_ERR_SERVICE_EXP",
"0x3": "KDC_ERR_BAD_PVNO",
"0x4": "KDC_ERR_C_OLD_MAST_KVNO",
"0x5": "KDC_ERR_S_OLD_MAST_KVNO",
"0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN",
"0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN",
"0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
"0x9": "KDC_ERR_NULL_KEY",
"0xA": "KDC_ERR_CANNOT_POSTDATE",
"0xB": "KDC_ERR_NEVER_VALID",
"0xC": "KDC_ERR_POLICY",
"0xD": "KDC_ERR_BADOPTION",
"0xE": "KDC_ERR_ETYPE_NOTSUPP",
"0xF": "KDC_ERR_SUMTYPE_NOSUPP",
"0x10": "KDC_ERR_PADATA_TYPE_NOSUPP",
"0x11": "KDC_ERR_TRTYPE_NO_SUPP",
"0x12": "KDC_ERR_CLIENT_REVOKED",
"0x13": "KDC_ERR_SERVICE_REVOKED",
"0x14": "KDC_ERR_TGT_REVOKED",
"0x15": "KDC_ERR_CLIENT_NOTYET",
"0x16": "KDC_ERR_SERVICE_NOTYET",
"0x17": "KDC_ERR_KEY_EXPIRED",
"0x18": "KDC_ERR_PREAUTH_FAILED",
"0x19": "KDC_ERR_PREAUTH_REQUIRED",
"0x1A": "KDC_ERR_SERVER_NOMATCH",
"0x1B": "KDC_ERR_MUST_USE_USER2USER",
"0x1F": "KRB_AP_ERR_BAD_INTEGRITY",
"0x20": "KRB_AP_ERR_TKT_EXPIRED",
"0x21": "KRB_AP_ERR_TKT_NYV",
"0x22": "KRB_AP_ERR_REPEAT",
"0x23": "KRB_AP_ERR_NOT_US",
"0x24": "KRB_AP_ERR_BADMATCH",
"0x25": "KRB_AP_ERR_SKEW",
"0x26": "KRB_AP_ERR_BADADDR",
"0x27": "KRB_AP_ERR_BADVERSION",
"0x28": "KRB_AP_ERR_MSG_TYPE",
"0x29": "KRB_AP_ERR_MODIFIED",
"0x2A": "KRB_AP_ERR_BADORDER",
"0x2C": "KRB_AP_ERR_BADKEYVER",
"0x2D": "KRB_AP_ERR_NOKEY",
"0x2E": "KRB_AP_ERR_MUT_FAIL",
"0x2F": "KRB_AP_ERR_BADDIRECTION",
"0x30": "KRB_AP_ERR_METHOD",
"0x31": "KRB_AP_ERR_BADSEQ",
"0x32": "KRB_AP_ERR_INAPP_CKSUM",
"0x33": "KRB_AP_PATH_NOT_ACCEPTED",
"0x34": "KRB_ERR_RESPONSE_TOO_BIG",
"0x3C": "KRB_ERR_GENERIC",
"0x3D": "KRB_ERR_FIELD_TOOLONG",
"0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED",
"0x3F": "KDC_ERR_KDC_NOT_TRUSTED",
"0x40": "KDC_ERR_INVALID_SIG",
"0x41": "KDC_ERR_KEY_TOO_WEAK",
"0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED",
"0x43": "KRB_AP_ERR_NO_TGT",
"0x44": "KDC_ERR_WRONG_REALM",
};
// event.category, event.type, event.action
var eventActionTypes = {
"1100": ["process","end","logging-service-shutdown"],
"1102": ["iam", "admin", "audit-log-cleared"],
"1104": ["iam","admin","logging-full"],
"1105": ["iam","admin","auditlog-archieved"],
"1108": ["iam","admin","logging-processing-error"],
"4624": ["authentication","start","logged-in"],
"4625": ["authentication","start","logon-failed"],
"4634": ["authentication","end","logged-out"],
"4647": ["authentication","end","logged-out"],
"4648": ["authentication","start","logged-in-explicit"],
"4672": ["iam","admin","logged-in-special"],
"4673": ["iam","admin","privileged-service-called"],
"4674": ["iam","admin","privileged-operation"],
"4688": ["process","start","created-process"],
"4689": ["process", "end", "exited-process"],
"4697": ["iam","admin","service-installed"],
"4698": ["iam","creation","scheduled-task-created"],
"4699": ["iam","deletion","scheduled-task-deleted"],
"4700": ["iam","change","scheduled-task-enabled"],
"4701": ["iam","change","scheduled-task-disabled"],
"4702": ["iam","change","scheduled-task-updated"],
"4719": ["iam","admin","changed-audit-config"],
"4720": ["iam","creation","added-user-account"],
"4722": ["iam","creation","enabled-user-account"],
"4723": ["iam","change","changed-password"],
"4724": ["iam","change","reset-password"],
"4725": ["iam","deletion","disabled-user-account"],
"4726": ["iam","deletion","deleted-user-account"],
"4727": ["iam","creation","added-group-account"],
"4728": ["iam","change","added-member-to-group"],
"4729": ["iam","change","removed-member-from-group"],
"4730": ["iam","deletion","deleted-group-account"],
"4731": ["iam","creation","added-group-account"],
"4732": ["iam","change","added-member-to-group"],
"4733": ["iam","change","removed-member-from-group"],
"4734": ["iam","deletion","deleted-group-account"],
"4735": ["iam","change","modified-group-account"],
"4737": ["iam","change","modified-group-account"],
"4738": ["iam","change","modified-user-account"],
"4740": ["iam","change","locked-out-user-account"],
"4741": ["iam","creation","added-computer-account"],
"4742": ["iam","change","changed-computer-account"],
"4743": ["iam","deletion","deleted-computer-account"],
"4744": ["iam","creation","added-distribution-group-account"],
"4745": ["iam","change","changed-distribution-group-account"],
"4746": ["iam","change","added-member-to-distribution-group"],
"4747": ["iam","change","removed-member-from-distribution-group"],
"4748": ["iam","deletion","deleted-distribution-group-account"],
"4749": ["iam","creation","added-distribution-group-account"],
"4750": ["iam","change","changed-distribution-group-account"],
"4751": ["iam","change","added-member-to-distribution-group"],
"4752": ["iam","change","removed-member-from-distribution-group"],
"4753": ["iam","deletion","deleted-distribution-group-account"],
"4754": ["iam","creation","added-group-account"],
"4755": ["iam","change","modified-group-account"],
"4756": ["iam","change","added-member-to-group"],
"4757": ["iam","change","removed-member-from-group"],
"4758": ["iam","deletion","deleted-group-account"],
"4759": ["iam","creation","added-distribution-group-account"],
"4760": ["iam","change","changed-distribution-group-account"],
"4761": ["iam","change","added-member-to-distribution-group"],
"4762": ["iam","change","removed-member-from-distribution-group"],
"4763": ["iam","deletion","deleted-distribution-group-account"],
"4764": ["iam","change","type-changed-group-account"],
"4767": ["iam","change","unlocked-user-account"],
"4768": ["authentication","start","kerberos-authentication-ticket-requested"],
"4769": ["authentication","start","kerberos-service-ticket-requested"],
"4770": ["authentication","start","kerberos-service-ticket-renewed"],
"4771": ["authentication","start","kerberos-preauth-failed"],
"4776": ["authentication","start","credential-validated"],
"4778": ["authentication","start","session-reconnected"],
"4779": ["authentication","end","session-disconnected"],
"4781": ["iam","change","renamed-user-account","dummy"],
"4798": ["iam","info","group-membership-enumerated"],
"4799": ["iam","info","user-member-enumerated","dummy"],
"4964": ["iam","admin","logged-in-special"],
};
// Audit Policy Changes Table
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
var auditActions = {
"8448": "Success Removed",
"8450": "Failure Removed",
"8449": "Success Added",
"8451": "Failure Added",
};
// Services Types
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
var serviceTypes = {
"0x1": "Kernel Driver",
"0x2": "File System Driver",
"0x8": "Recognizer Driver",
"0x10": "Win32 Own Process",
"0x20": "Win32 Share Process",
"0x110": "Interactive Own Process",
"0x120": "Interactive Share Process",
};
// Audit Categories Description
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d
var auditDescription = {
"0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"],
"0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"],
"0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"],
"0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"],
"0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"],
"0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"],
"0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"],
"0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"],
"0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"],
"0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"],
"0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"],
"0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"],
"0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"],
"0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"],
"0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"],
"0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"],
"0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"],
"0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"],
"0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"],
"0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"],
"0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"],
"0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"],
"0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"],
"0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"],
"0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"],
"0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"],
"0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"],
"0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"],
"0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"],
"0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"],
"0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"],
"0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"],
"0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"],
"0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"],
"0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"],
"0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"],
"0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"],
"0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"],
"0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"],
"0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"],
"0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"],
"0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"],
"0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"],
"0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"],
"0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"],
"0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"],
"0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"],
"0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"],
"0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"],
"0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"],
"0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"],
"0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"],
"0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"],
"0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"],
"0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"],
"0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"],
"0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"],
};
// Descriptions of failure status codes.
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
var logonFailureStatus = {
"0xc000005e": "There are currently no logon servers available to service the logon request.",
"0xc0000064": "User logon with misspelled or bad user account",
"0xc000006a": "User logon with misspelled or bad password",
"0xc000006d": "This is either due to a bad username or authentication information",
"0xc000006e": "Unknown user name or bad password.",
"0xc000006f": "User logon outside authorized hours",
"0xc0000070": "User logon from unauthorized workstation",
"0xc0000071": "User logon with expired password",
"0xc0000072": "User logon to account disabled by administrator",
"0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.",
"0xc0000133": "Clocks between DC and other computer too far out of sync",
"0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine",
"0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.",
"0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.",
"0xc0000193": "User logon with expired account",
"0xc0000224": "User is required to change password at next logon",
"0xc0000225": "Evidently a bug in Windows and not a risk",
"0xc0000234": "User logon with account locked",
"0xc00002ee": "Failure Reason: An Error occurred during Logon",
"0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.",
"0xc0000371": "The local account store does not contain secret material for the specified account",
"0x0": "Status OK.",
};
// Message table extracted from msobjs.dll on Windows 2019.
// https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012
var msobjsMessageTable = {
"279": "Undefined Access (no effect) Bit 7",
"1536": "Unused message ID",
"1537": "DELETE",
"1538": "READ_CONTROL",
"1539": "WRITE_DAC",
"1540": "WRITE_OWNER",
"1541": "SYNCHRONIZE",
"1542": "ACCESS_SYS_SEC",
"1543": "MAX_ALLOWED",
"1552": "Unknown specific access (bit 0)",
"1553": "Unknown specific access (bit 1)",
"1554": "Unknown specific access (bit 2)",
"1555": "Unknown specific access (bit 3)",
"1556": "Unknown specific access (bit 4)",
"1557": "Unknown specific access (bit 5)",
"1558": "Unknown specific access (bit 6)",
"1559": "Unknown specific access (bit 7)",
"1560": "Unknown specific access (bit 8)",
"1561": "Unknown specific access (bit 9)",
"1562": "Unknown specific access (bit 10)",
"1563": "Unknown specific access (bit 11)",
"1564": "Unknown specific access (bit 12)",
"1565": "Unknown specific access (bit 13)",
"1566": "Unknown specific access (bit 14)",
"1567": "Unknown specific access (bit 15)",
"1601": "Not used",
"1603": "Assign Primary Token Privilege",
"1604": "Lock Memory Privilege",
"1605": "Increase Memory Quota Privilege",
"1606": "Unsolicited Input Privilege",
"1607": "Trusted Computer Base Privilege",
"1608": "Security Privilege",
"1609": "Take Ownership Privilege",
"1610": "Load/Unload Driver Privilege",
"1611": "Profile System Privilege",
"1612": "Set System Time Privilege",
"1613": "Profile Single Process Privilege",
"1614": "Increment Base Priority Privilege",
"1615": "Create Pagefile Privilege",
"1616": "Create Permanent Object Privilege",
"1617": "Backup Privilege",
"1618": "Restore From Backup Privilege",
"1619": "Shutdown System Privilege",
"1620": "Debug Privilege",
"1621": "View or Change Audit Log Privilege",
"1622": "Change Hardware Environment Privilege",
"1623": "Change Notify (and Traverse) Privilege",
"1624": "Remotely Shut System Down Privilege",
"1792": "<value changed",
"1793": "<value not set>",
"1794": "<never>",
"1795": "Enabled",
"1796": "Disabled",
"1797": "All",
"1798": "None",
"1799": "Audit Policy query/set API Operation",
"1800": "<Value change auditing for this registry type is not supported>",
"1801": "Granted by",
"1802": "Denied by",
"1803": "Denied by Integrity Policy check",
"1804": "Granted by Ownership",
"1805": "Not granted",
"1806": "Granted by NULL DACL",
"1807": "Denied by Empty DACL",
"1808": "Granted by NULL Security Descriptor",
"1809": "Unknown or unchecked",
"1810": "Not granted due to missing",
"1811": "Granted by ACE on parent folder",
"1812": "Denied by ACE on parent folder",
"1813": "Granted by Central Access Rule",
"1814": "NOT Granted by Central Access Rule",
"1815": "Granted by parent folder's Central Access Rule",
"1816": "NOT Granted by parent folder's Central Access Rule",
"1817": "Unknown Type",
"1818": "String",
"1819": "Unsigned 64-bit Integer",
"1820": "64-bit Integer",
"1821": "FQBN",
"1822": "Blob",
"1823": "Sid",
"1824": "Boolean",
"1825": "TRUE",
"1826": "FALSE",
"1827": "Invalid",
"1828": "an ACE too long to display",
"1829": "a Security Descriptor too long to display",
"1830": "Not granted to AppContainers",
"1831": "...",
"1832": "Identification",
"1833": "Impersonation",
"1840": "Delegation",
"1841": "Denied by Process Trust Label ACE",
"1842": "Yes",
"1843": "No",
"1844": "System",
"1845": "Not Available",
"1846": "Default",
"1847": "DisallowMmConfig",
"1848": "Off",
"1849": "Auto",
"1872": "REG_NONE",
"1873": "REG_SZ",
"1874": "REG_EXPAND_SZ",
"1875": "REG_BINARY",
"1876": "REG_DWORD",
"1877": "REG_DWORD_BIG_ENDIAN",
"1878": "REG_LINK",
"1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)",
"1880": "REG_RESOURCE_LIST",
"1881": "REG_FULL_RESOURCE_DESCRIPTOR",
"1882": "REG_RESOURCE_REQUIREMENTS_LIST",
"1883": "REG_QWORD",
"1904": "New registry value created",
"1905": "Existing registry value modified",
"1906": "Registry value deleted",
"1920": "Sunday",
"1921": "Monday",
"1922": "Tuesday",
"1923": "Wednesday",
"1924": "Thursday",
"1925": "Friday",
"1926": "Saturday",
"1936": "TokenElevationTypeDefault (1)",
"1937": "TokenElevationTypeFull (2)",
"1938": "TokenElevationTypeLimited (3)",
"2048": "Account Enabled",
"2049": "Home Directory Required' - Disabled",
"2050": "Password Not Required' - Disabled",
"2051": "Temp Duplicate Account' - Disabled",
"2052": "Normal Account' - Disabled",
"2053": "MNS Logon Account' - Disabled",
"2054": "Interdomain Trust Account' - Disabled",
"2055": "Workstation Trust Account' - Disabled",
"2056": "Server Trust Account' - Disabled",
"2057": "Don't Expire Password' - Disabled",
"2058": "Account Unlocked",
"2059": "Encrypted Text Password Allowed' - Disabled",
"2060": "Smartcard Required' - Disabled",
"2061": "Trusted For Delegation' - Disabled",
"2062": "Not Delegated' - Disabled",
"2063": "Use DES Key Only' - Disabled",
"2064": "Don't Require Preauth' - Disabled",
"2065": "Password Expired' - Disabled",
"2066": "Trusted To Authenticate For Delegation' - Disabled",
"2067": "Exclude Authorization Information' - Disabled",
"2068": "Undefined UserAccountControl Bit 20' - Disabled",
"2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled",
"2070": "Undefined UserAccountControl Bit 22' - Disabled",
"2071": "Undefined UserAccountControl Bit 23' - Disabled",
"2072": "Undefined UserAccountControl Bit 24' - Disabled",
"2073": "Undefined UserAccountControl Bit 25' - Disabled",
"2074": "Undefined UserAccountControl Bit 26' - Disabled",
"2075": "Undefined UserAccountControl Bit 27' - Disabled",
"2076": "Undefined UserAccountControl Bit 28' - Disabled",
"2077": "Undefined UserAccountControl Bit 29' - Disabled",
"2078": "Undefined UserAccountControl Bit 30' - Disabled",
"2079": "Undefined UserAccountControl Bit 31' - Disabled",
"2080": "Account Disabled",
"2081": "Home Directory Required' - Enabled",
"2082": "Password Not Required' - Enabled",
"2083": "Temp Duplicate Account' - Enabled",
"2084": "Normal Account' - Enabled",
"2085": "MNS Logon Account' - Enabled",
"2086": "Interdomain Trust Account' - Enabled",
"2087": "Workstation Trust Account' - Enabled",
"2088": "Server Trust Account' - Enabled",
"2089": "Don't Expire Password' - Enabled",
"2090": "Account Locked",
"2091": "Encrypted Text Password Allowed' - Enabled",
"2092": "Smartcard Required' - Enabled",
"2093": "Trusted For Delegation' - Enabled",
"2094": "Not Delegated' - Enabled",
"2095": "Use DES Key Only' - Enabled",
"2096": "Don't Require Preauth' - Enabled",
"2097": "Password Expired' - Enabled",
"2098": "Trusted To Authenticate For Delegation' - Enabled",
"2099": "Exclude Authorization Information' - Enabled",
"2100": "Undefined UserAccountControl Bit 20' - Enabled",
"2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled",
"2102": "Undefined UserAccountControl Bit 22' - Enabled",
"2103": "Undefined UserAccountControl Bit 23' - Enabled",
"2104": "Undefined UserAccountControl Bit 24' - Enabled",
"2105": "Undefined UserAccountControl Bit 25' - Enabled",
"2106": "Undefined UserAccountControl Bit 26' - Enabled",
"2107": "Undefined UserAccountControl Bit 27' - Enabled",
"2108": "Undefined UserAccountControl Bit 28' - Enabled",
"2109": "Undefined UserAccountControl Bit 29' - Enabled",
"2110": "Undefined UserAccountControl Bit 30' - Enabled",
"2111": "Undefined UserAccountControl Bit 31' - Enabled",
"2304": "An Error occured during Logon.",
"2305": "The specified user account has expired.",
"2306": "The NetLogon component is not active.",
"2307": "Account locked out.",
"2308": "The user has not been granted the requested logon type at this machine.",
"2309": "The specified account's password has expired.",
"2310": "Account currently disabled.",
"2311": "Account logon time restriction violation.",
"2312": "User not allowed to logon at this computer.",
"2313": "Unknown user name or bad password.",
"2314": "Domain sid inconsistent.",
"2315": "Smartcard logon is required and was not used.",
"2432": "Not Available.",
"2436": "Random number generator failure.",
"2437": "Random number generation failed FIPS-140 pre-hash check.",
"2438": "Failed to zero secret data.",
"2439": "Key failed pair wise consistency check.",
"2448": "Failed to unprotect persistent cryptographic key.",
"2449": "Key export checks failed.",
"2450": "Validation of public key failed.",
"2451": "Signature verification failed.",
"2456": "Open key file.",
"2457": "Delete key file.",
"2458": "Read persisted key from file.",
"2459": "Write persisted key to file.",
"2464": "Export of persistent cryptographic key.",
"2465": "Import of persistent cryptographic key.",
"2480": "Open Key.",
"2481": "Create Key.",
"2482": "Delete Key.",
"2483": "Encrypt.",
"2484": "Decrypt.",
"2485": "Sign hash.",
"2486": "Secret agreement.",
"2487": "Domain settings",
"2488": "Local settings",
"2489": "Add provider.",
"2490": "Remove provider.",
"2491": "Add context.",
"2492": "Remove context.",
"2493": "Add function.",
"2494": "Remove function.",
"2495": "Add function provider.",
"2496": "Remove function provider.",
"2497": "Add function property.",
"2498": "Remove function property.",
"2499": "Machine key.",
"2500": "User key.",
"2501": "Key Derivation.",
"4352": "Device Access Bit 0",
"4353": "Device Access Bit 1",
"4354": "Device Access Bit 2",
"4355": "Device Access Bit 3",
"4356": "Device Access Bit 4",
"4357": "Device Access Bit 5",
"4358": "Device Access Bit 6",
"4359": "Device Access Bit 7",
"4360": "Device Access Bit 8",
"4361": "Undefined Access (no effect) Bit 9",
"4362": "Undefined Access (no effect) Bit 10",
"4363": "Undefined Access (no effect) Bit 11",
"4364": "Undefined Access (no effect) Bit 12",
"4365": "Undefined Access (no effect) Bit 13",
"4366": "Undefined Access (no effect) Bit 14",
"4367": "Undefined Access (no effect) Bit 15",
"4368": "Query directory",
"4369": "Traverse",
"4370": "Create object in directory",
"4371": "Create sub-directory",
"4372": "Undefined Access (no effect) Bit 4",
"4373": "Undefined Access (no effect) Bit 5",
"4374": "Undefined Access (no effect) Bit 6",
"4375": "Undefined Access (no effect) Bit 7",
"4376": "Undefined Access (no effect) Bit 8",
"4377": "Undefined Access (no effect) Bit 9",
"4378": "Undefined Access (no effect) Bit 10",
"4379": "Undefined Access (no effect) Bit 11",
"4380": "Undefined Access (no effect) Bit 12",
"4381": "Undefined Access (no effect) Bit 13",
"4382": "Undefined Access (no effect) Bit 14",
"4383": "Undefined Access (no effect) Bit 15",
"4384": "Query event state",
"4385": "Modify event state",
"4386": "Undefined Access (no effect) Bit 2",
"4387": "Undefined Access (no effect) Bit 3",
"4388": "Undefined Access (no effect) Bit 4",
"4389": "Undefined Access (no effect) Bit 5",
"4390": "Undefined Access (no effect) Bit 6",
"4391": "Undefined Access (no effect) Bit 7",
"4392": "Undefined Access (no effect) Bit 8",
"4393": "Undefined Access (no effect) Bit 9",
"4394": "Undefined Access (no effect) Bit 10",
"4395": "Undefined Access (no effect) Bit 11",
"4396": "Undefined Access (no effect) Bit 12",
"4397": "Undefined Access (no effect) Bit 13",
"4398": "Undefined Access (no effect) Bit 14",
"4399": "Undefined Access (no effect) Bit 15",
"4416": "ReadData (or ListDirectory)",
"4417": "WriteData (or AddFile)",
"4418": "AppendData (or AddSubdirectory or CreatePipeInstance)",
"4419": "ReadEA",
"4420": "WriteEA",
"4421": "Execute/Traverse",
"4422": "DeleteChild",
"4423": "ReadAttributes",
"4424": "WriteAttributes",
"4425": "Undefined Access (no effect) Bit 9",
"4426": "Undefined Access (no effect) Bit 10",
"4427": "Undefined Access (no effect) Bit 11",
"4428": "Undefined Access (no effect) Bit 12",
"4429": "Undefined Access (no effect) Bit 13",
"4430": "Undefined Access (no effect) Bit 14",
"4431": "Undefined Access (no effect) Bit 15",
"4432": "Query key value",
"4433": "Set key value",
"4434": "Create sub-key",
"4435": "Enumerate sub-keys",
"4436": "Notify about changes to keys",
"4437": "Create Link",
"4438": "Undefined Access (no effect) Bit 6",
"4439": "Undefined Access (no effect) Bit 7",
"4440": "Enable 64(or 32) bit application to open 64 bit key",
"4441": "Enable 64(or 32) bit application to open 32 bit key",
"4442": "Undefined Access (no effect) Bit 10",
"4443": "Undefined Access (no effect) Bit 11",
"4444": "Undefined Access (no effect) Bit 12",
"4445": "Undefined Access (no effect) Bit 13",
"4446": "Undefined Access (no effect) Bit 14",
"4447": "Undefined Access (no effect) Bit 15",
"4448": "Query mutant state",
"4449": "Undefined Access (no effect) Bit 1",
"4450": "Undefined Access (no effect) Bit 2",
"4451": "Undefined Access (no effect) Bit 3",
"4452": "Undefined Access (no effect) Bit 4",
"4453": "Undefined Access (no effect) Bit 5",
"4454": "Undefined Access (no effect) Bit 6",
"4455": "Undefined Access (no effect) Bit 7",
"4456": "Undefined Access (no effect) Bit 8",
"4457": "Undefined Access (no effect) Bit 9",
"4458": "Undefined Access (no effect) Bit 10",
"4459": "Undefined Access (no effect) Bit 11",
"4460": "Undefined Access (no effect) Bit 12",
"4461": "Undefined Access (no effect) Bit 13",
"4462": "Undefined Access (no effect) Bit 14",
"4463": "Undefined Access (no effect) Bit 15",
"4464": "Communicate using port",
"4465": "Undefined Access (no effect) Bit 1",
"4466": "Undefined Access (no effect) Bit 2",
"4467": "Undefined Access (no effect) Bit 3",
"4468": "Undefined Access (no effect) Bit 4",
"4469": "Undefined Access (no effect) Bit 5",
"4470": "Undefined Access (no effect) Bit 6",
"4471": "Undefined Access (no effect) Bit 7",
"4472": "Undefined Access (no effect) Bit 8",
"4473": "Undefined Access (no effect) Bit 9",
"4474": "Undefined Access (no effect) Bit 10",
"4475": "Undefined Access (no effect) Bit 11",
"4476": "Undefined Access (no effect) Bit 12",
"4477": "Undefined Access (no effect) Bit 13",
"4478": "Undefined Access (no effect) Bit 14",
"4479": "Undefined Access (no effect) Bit 15",
"4480": "Force process termination",
"4481": "Create new thread in process",
"4482": "Set process session ID",
"4483": "Perform virtual memory operation",
"4484": "Read from process memory",
"4485": "Write to process memory",
"4486": "Duplicate handle into or out of process",
"4487": "Create a subprocess of process",
"4488": "Set process quotas",
"4489": "Set process information",
"4490": "Query process information",
"4491": "Set process termination port",
"4492": "Undefined Access (no effect) Bit 12",
"4493": "Undefined Access (no effect) Bit 13",
"4494": "Undefined Access (no effect) Bit 14",
"4495": "Undefined Access (no effect) Bit 15",
"4496": "Control profile",
"4497": "Undefined Access (no effect) Bit 1",
"4498": "Undefined Access (no effect) Bit 2",
"4499": "Undefined Access (no effect) Bit 3",
"4500": "Undefined Access (no effect) Bit 4",
"4501": "Undefined Access (no effect) Bit 5",
"4502": "Undefined Access (no effect) Bit 6",
"4503": "Undefined Access (no effect) Bit 7",
"4504": "Undefined Access (no effect) Bit 8",
"4505": "Undefined Access (no effect) Bit 9",
"4506": "Undefined Access (no effect) Bit 10",
"4507": "Undefined Access (no effect) Bit 11",
"4508": "Undefined Access (no effect) Bit 12",
"4509": "Undefined Access (no effect) Bit 13",
"4510": "Undefined Access (no effect) Bit 14",
"4511": "Undefined Access (no effect) Bit 15",
"4512": "Query section state",
"4513": "Map section for write",
"4514": "Map section for read",
"4515": "Map section for execute",
"4516": "Extend size",
"4517": "Undefined Access (no effect) Bit 5",
"4518": "Undefined Access (no effect) Bit 6",
"4519": "Undefined Access (no effect) Bit 7",
"4520": "Undefined Access (no effect) Bit 8",
"4521": "Undefined Access (no effect) Bit 9",
"4522": "Undefined Access (no effect) Bit 10",
"4523": "Undefined Access (no effect) Bit 11",
"4524": "Undefined Access (no effect) Bit 12",
"4525": "Undefined Access (no effect) Bit 13",
"4526": "Undefined Access (no effect) Bit 14",
"4527": "Undefined Access (no effect) Bit 15",
"4528": "Query semaphore state",
"4529": "Modify semaphore state",
"4530": "Undefined Access (no effect) Bit 2",
"4531": "Undefined Access (no effect) Bit 3",
"4532": "Undefined Access (no effect) Bit 4",
"4533": "Undefined Access (no effect) Bit 5",
"4534": "Undefined Access (no effect) Bit 6",
"4535": "Undefined Access (no effect) Bit 7",
"4536": "Undefined Access (no effect) Bit 8",
"4537": "Undefined Access (no effect) Bit 9",
"4538": "Undefined Access (no effect) Bit 10",
"4539": "Undefined Access (no effect) Bit 11",
"4540": "Undefined Access (no effect) Bit 12",
"4541": "Undefined Access (no effect) Bit 13",
"4542": "Undefined Access (no effect) Bit 14",
"4543": "Undefined Access (no effect) Bit 15",
"4544": "Use symbolic link",
"4545": "Undefined Access (no effect) Bit 1",
"4546": "Undefined Access (no effect) Bit 2",
"4547": "Undefined Access (no effect) Bit 3",
"4548": "Undefined Access (no effect) Bit 4",
"4549": "Undefined Access (no effect) Bit 5",
"4550": "Undefined Access (no effect) Bit 6",
"4551": "Undefined Access (no effect) Bit 7",
"4552": "Undefined Access (no effect) Bit 8",
"4553": "Undefined Access (no effect) Bit 9",
"4554": "Undefined Access (no effect) Bit 10",
"4555": "Undefined Access (no effect) Bit 11",
"4556": "Undefined Access (no effect) Bit 12",
"4557": "Undefined Access (no effect) Bit 13",
"4558": "Undefined Access (no effect) Bit 14",
"4559": "Undefined Access (no effect) Bit 15",
"4560": "Force thread termination",
"4561": "Suspend or resume thread",
"4562": "Send an alert to thread",
"4563": "Get thread context",
"4564": "Set thread context",
"4565": "Set thread information",
"4566": "Query thread information",
"4567": "Assign a token to the thread",
"4568": "Cause thread to directly impersonate another thread",
"4569": "Directly impersonate this thread",
"4570": "Undefined Access (no effect) Bit 10",
"4571": "Undefined Access (no effect) Bit 11",
"4572": "Undefined Access (no effect) Bit 12",
"4573": "Undefined Access (no effect) Bit 13",
"4574": "Undefined Access (no effect) Bit 14",
"4575": "Undefined Access (no effect) Bit 15",
"4576": "Query timer state",
"4577": "Modify timer state",
"4578": "Undefined Access (no effect) Bit 2",
"4579": "Undefined Access (no effect) Bit 3",
"4580": "Undefined Access (no effect) Bit 4",
"4581": "Undefined Access (no effect) Bit 5",
"4582": "Undefined Access (no effect) Bit 6",
"4584": "Undefined Access (no effect) Bit 8",
"4585": "Undefined Access (no effect) Bit 9",
"4586": "Undefined Access (no effect) Bit 10",
"4587": "Undefined Access (no effect) Bit 11",
"4588": "Undefined Access (no effect) Bit 12",
"4589": "Undefined Access (no effect) Bit 13",
"4590": "Undefined Access (no effect) Bit 14",
"4591": "Undefined Access (no effect) Bit 15",
"4592": "AssignAsPrimary",
"4593": "Duplicate",
"4594": "Impersonate",
"4595": "Query",
"4596": "QuerySource",
"4597": "AdjustPrivileges",
"4598": "AdjustGroups",
"4599": "AdjustDefaultDacl",
"4600": "AdjustSessionID",
"4601": "Undefined Access (no effect) Bit 9",
"4602": "Undefined Access (no effect) Bit 10",
"4603": "Undefined Access (no effect) Bit 11",
"4604": "Undefined Access (no effect) Bit 12",
"4605": "Undefined Access (no effect) Bit 13",
"4606": "Undefined Access (no effect) Bit 14",
"4607": "Undefined Access (no effect) Bit 15",
"4608": "Create instance of object type",
"4609": "Undefined Access (no effect) Bit 1",
"4610": "Undefined Access (no effect) Bit 2",
"4611": "Undefined Access (no effect) Bit 3",
"4612": "Undefined Access (no effect) Bit 4",
"4613": "Undefined Access (no effect) Bit 5",
"4614": "Undefined Access (no effect) Bit 6",
"4615": "Undefined Access (no effect) Bit 7",
"4616": "Undefined Access (no effect) Bit 8",
"4617": "Undefined Access (no effect) Bit 9",
"4618": "Undefined Access (no effect) Bit 10",
"4619": "Undefined Access (no effect) Bit 11",
"4620": "Undefined Access (no effect) Bit 12",
"4621": "Undefined Access (no effect) Bit 13",
"4622": "Undefined Access (no effect) Bit 14",
"4623": "Undefined Access (no effect) Bit 15",
"4864": "Query State",
"4865": "Modify State",
"5120": "Channel read message",
"5121": "Channel write message",
"5122": "Channel query information",
"5123": "Channel set information",
"5124": "Undefined Access (no effect) Bit 4",
"5125": "Undefined Access (no effect) Bit 5",
"5126": "Undefined Access (no effect) Bit 6",
"5127": "Undefined Access (no effect) Bit 7",
"5128": "Undefined Access (no effect) Bit 8",
"5129": "Undefined Access (no effect) Bit 9",
"5130": "Undefined Access (no effect) Bit 10",
"5131": "Undefined Access (no effect) Bit 11",
"5132": "Undefined Access (no effect) Bit 12",
"5133": "Undefined Access (no effect) Bit 13",
"5134": "Undefined Access (no effect) Bit 14",
"5135": "Undefined Access (no effect) Bit 15",
"5136": "Assign process",
"5137": "Set Attributes",
"5138": "Query Attributes",
"5139": "Terminate Job",
"5140": "Set Security Attributes",
"5141": "Undefined Access (no effect) Bit 5",
"5142": "Undefined Access (no effect) Bit 6",
"5143": "Undefined Access (no effect) Bit 7",
"5144": "Undefined Access (no effect) Bit 8",
"5145": "Undefined Access (no effect) Bit 9",
"5146": "Undefined Access (no effect) Bit 10",
"5147": "Undefined Access (no effect) Bit 11",
"5148": "Undefined Access (no effect) Bit 12",
"5149": "Undefined Access (no effect) Bit 13",
"5150": "Undefined Access (no effect) Bit 14",
"5151": "Undefined Access (no effect) Bit 15",
"5376": "ConnectToServer",
"5377": "ShutdownServer",
"5378": "InitializeServer",
"5379": "CreateDomain",
"5380": "EnumerateDomains",
"5381": "LookupDomain",
"5382": "Undefined Access (no effect) Bit 6",
"5383": "Undefined Access (no effect) Bit 7",
"5384": "Undefined Access (no effect) Bit 8",
"5385": "Undefined Access (no effect) Bit 9",
"5386": "Undefined Access (no effect) Bit 10",
"5387": "Undefined Access (no effect) Bit 11",
"5388": "Undefined Access (no effect) Bit 12",
"5389": "Undefined Access (no effect) Bit 13",
"5390": "Undefined Access (no effect) Bit 14",
"5391": "Undefined Access (no effect) Bit 15",
"5392": "ReadPasswordParameters",
"5393": "WritePasswordParameters",
"5394": "ReadOtherParameters",
"5395": "WriteOtherParameters",
"5396": "CreateUser",
"5397": "CreateGlobalGroup",
"5398": "CreateLocalGroup",
"5399": "GetLocalGroupMembership",
"5400": "ListAccounts",
"5401": "LookupIDs",
"5402": "AdministerServer",
"5403": "Undefined Access (no effect) Bit 11",
"5404": "Undefined Access (no effect) Bit 12",
"5405": "Undefined Access (no effect) Bit 13",
"5406": "Undefined Access (no effect) Bit 14",
"5407": "Undefined Access (no effect) Bit 15",
"5408": "ReadInformation",
"5409": "WriteAccount",
"5410": "AddMember",
"5411": "RemoveMember",
"5412": "ListMembers",
"5413": "Undefined Access (no effect) Bit 5",
"5414": "Undefined Access (no effect) Bit 6",
"5415": "Undefined Access (no effect) Bit 7",
"5416": "Undefined Access (no effect) Bit 8",
"5417": "Undefined Access (no effect) Bit 9",
"5418": "Undefined Access (no effect) Bit 10",
"5419": "Undefined Access (no effect) Bit 11",
"5420": "Undefined Access (no effect) Bit 12",
"5421": "Undefined Access (no effect) Bit 13",
"5422": "Undefined Access (no effect) Bit 14",
"5423": "Undefined Access (no effect) Bit 15",
"5424": "AddMember",
"5425": "RemoveMember",
"5426": "ListMembers",
"5427": "ReadInformation",
"5428": "WriteAccount",
"5429": "Undefined Access (no effect) Bit 5",
"5430": "Undefined Access (no effect) Bit 6",
"5431": "Undefined Access (no effect) Bit 7",
"5432": "Undefined Access (no effect) Bit 8",
"5433": "Undefined Access (no effect) Bit 9",
"5434": "Undefined Access (no effect) Bit 10",
"5435": "Undefined Access (no effect) Bit 11",
"5436": "Undefined Access (no effect) Bit 12",
"5437": "Undefined Access (no effect) Bit 13",
"5438": "Undefined Access (no effect) Bit 14",
"5439": "Undefined Access (no effect) Bit 15",
"5440": "ReadGeneralInformation",
"5441": "ReadPreferences",
"5442": "WritePreferences",
"5443": "ReadLogon",
"5444": "ReadAccount",
"5445": "WriteAccount",
"5446": "ChangePassword (with knowledge of old password)",
"5447": "SetPassword (without knowledge of old password)",
"5448": "ListGroups",
"5449": "ReadGroupMembership",
"5450": "ChangeGroupMembership",
"5451": "Undefined Access (no effect) Bit 11",
"5452": "Undefined Access (no effect) Bit 12",
"5453": "Undefined Access (no effect) Bit 13",
"5454": "Undefined Access (no effect) Bit 14",
"5455": "Undefined Access (no effect) Bit 15",
"5632": "View non-sensitive policy information",
"5633": "View system audit requirements",
"5634": "Get sensitive policy information",
"5635": "Modify domain trust relationships",
"5636": "Create special accounts (for assignment of user rights)",
"5637": "Create a secret object",
"5638": "Create a privilege",
"5639": "Set default quota limits",
"5640": "Change system audit requirements",
"5641": "Administer audit log attributes",
"5642": "Enable/Disable LSA",
"5643": "Lookup Names/SIDs",
"5648": "Change secret value",
"5649": "Query secret value",
"5650": "Undefined Access (no effect) Bit 2",
"5651": "Undefined Access (no effect) Bit 3",
"5652": "Undefined Access (no effect) Bit 4",
"5653": "Undefined Access (no effect) Bit 5",
"5654": "Undefined Access (no effect) Bit 6",
"5655": "Undefined Access (no effect) Bit 7",
"5656": "Undefined Access (no effect) Bit 8",
"5657": "Undefined Access (no effect) Bit 9",
"5658": "Undefined Access (no effect) Bit 10",
"5659": "Undefined Access (no effect) Bit 11",
"5660": "Undefined Access (no effect) Bit 12",
"5661": "Undefined Access (no effect) Bit 13",
"5662": "Undefined Access (no effect) Bit 14",
"5663": "Undefined Access (no effect) Bit 15",
"5664": "Query trusted domain name/SID",
"5665": "Retrieve the controllers in the trusted domain",
"5666": "Change the controllers in the trusted domain",
"5667": "Query the Posix ID offset assigned to the trusted domain",
"5668": "Change the Posix ID offset assigned to the trusted domain",
"5669": "Undefined Access (no effect) Bit 5",
"5670": "Undefined Access (no effect) Bit 6",
"5671": "Undefined Access (no effect) Bit 7",
"5672": "Undefined Access (no effect) Bit 8",
"5673": "Undefined Access (no effect) Bit 9",
"5674": "Undefined Access (no effect) Bit 10",
"5675": "Undefined Access (no effect) Bit 11",
"5676": "Undefined Access (no effect) Bit 12",
"5677": "Undefined Access (no effect) Bit 13",
"5678": "Undefined Access (no effect) Bit 14",
"5679": "Undefined Access (no effect) Bit 15",
"5680": "Query account information",
"5681": "Change privileges assigned to account",
"5682": "Change quotas assigned to account",
"5683": "Change logon capabilities assigned to account",
"5684": "Change the Posix ID offset assigned to the accounted domain",
"5685": "Undefined Access (no effect) Bit 5",
"5686": "Undefined Access (no effect) Bit 6",
"5687": "Undefined Access (no effect) Bit 7",
"5688": "Undefined Access (no effect) Bit 8",
"5689": "Undefined Access (no effect) Bit 9",
"5690": "Undefined Access (no effect) Bit 10",
"5691": "Undefined Access (no effect) Bit 11",
"5692": "Undefined Access (no effect) Bit 12",
"5693": "Undefined Access (no effect) Bit 13",
"5694": "Undefined Access (no effect) Bit 14",
"5695": "Undefined Access (no effect) Bit 15",
"5696": "KeyedEvent Wait",
"5697": "KeyedEvent Wake",
"5698": "Undefined Access (no effect) Bit 2",
"5699": "Undefined Access (no effect) Bit 3",
"5700": "Undefined Access (no effect) Bit 4",
"5701": "Undefined Access (no effect) Bit 5",
"5702": "Undefined Access (no effect) Bit 6",
"5703": "Undefined Access (no effect) Bit 7",
"5704": "Undefined Access (no effect) Bit 8",
"5705": "Undefined Access (no effect) Bit 9",
"5706": "Undefined Access (no effect) Bit 10",
"5707": "Undefined Access (no effect) Bit 11",
"5708": "Undefined Access (no effect) Bit 12",
"5709": "Undefined Access (no effect) Bit 13",
"5710": "Undefined Access (no effect) Bit 14",
"5711": "Undefined Access (no effect) Bit 15",
"6656": "Enumerate desktops",
"6657": "Read attributes",
"6658": "Access Clipboard",
"6659": "Create desktop",
"6660": "Write attributes",
"6661": "Access global atoms",
"6662": "Exit windows",
"6663": "Unused Access Flag",
"6664": "Include this windowstation in enumerations",
"6665": "Read screen",
"6672": "Read Objects",
"6673": "Create window",
"6674": "Create menu",
"6675": "Hook control",
"6676": "Journal (record)",
"6677": "Journal (playback)",
"6678": "Include this desktop in enumerations",
"6679": "Write objects",
"6680": "Switch to this desktop",
"6912": "Administer print server",
"6913": "Enumerate printers",
"6930": "Full Control",
"6931": "Print",
"6948": "Administer Document",
"7168": "Connect to service controller",
"7169": "Create a new service",
"7170": "Enumerate services",
"7171": "Lock service database for exclusive access",
"7172": "Query service database lock state",
"7173": "Set last-known-good state of service database",
"7184": "Query service configuration information",
"7185": "Set service configuration information",
"7186": "Query status of service",
"7187": "Enumerate dependencies of service",
"7188": "Start the service",
"7189": "Stop the service",
"7190": "Pause or continue the service",
"7191": "Query information from service",
"7192": "Issue service-specific control commands",
"7424": "DDE Share Read",
"7425": "DDE Share Write",
"7426": "DDE Share Initiate Static",
"7427": "DDE Share Initiate Link",
"7428": "DDE Share Request",
"7429": "DDE Share Advise",
"7430": "DDE Share Poke",
"7431": "DDE Share Execute",
"7432": "DDE Share Add Items",
"7433": "DDE Share List Items",
"7680": "Create Child",
"7681": "Delete Child",
"7682": "List Contents",
"7683": "Write Self",
"7684": "Read Property",
"7685": "Write Property",
"7686": "Delete Tree",
"7687": "List Object",
"7688": "Control Access",
"7689": "Undefined Access (no effect) Bit 9",
"7690": "Undefined Access (no effect) Bit 10",
"7691": "Undefined Access (no effect) Bit 11",
"7692": "Undefined Access (no effect) Bit 12",
"7693": "Undefined Access (no effect) Bit 13",
"7694": "Undefined Access (no effect) Bit 14",
"7695": "Undefined Access (no effect) Bit 15",
"7936": "Audit Set System Policy",
"7937": "Audit Query System Policy",
"7938": "Audit Set Per User Policy",
"7939": "Audit Query Per User Policy",
"7940": "Audit Enumerate Users",
"7941": "Audit Set Options",
"7942": "Audit Query Options",
"8064": "Port sharing (read)",
"8065": "Port sharing (write)",
"8096": "Default credentials",
"8097": "Credentials manager",
"8098": "Fresh credentials",
"8192": "Kerberos",
"8193": "Preshared key",
"8194": "Unknown authentication",
"8195": "DES",
"8196": "3DES",
"8197": "MD5",
"8198": "SHA1",
"8199": "Local computer",
"8200": "Remote computer",
"8201": "No state",
"8202": "Sent first (SA) payload",
"8203": "Sent second (KE) payload",
"8204": "Sent third (ID) payload",
"8205": "Initiator",
"8206": "Responder",
"8207": "No state",
"8208": "Sent first (SA) payload",
"8209": "Sent final payload",
"8210": "Complete",
"8211": "Unknown",
"8212": "Transport",
"8213": "Tunnel",
"8214": "IKE/AuthIP DoS prevention mode started",
"8215": "IKE/AuthIP DoS prevention mode stopped",
"8216": "Enabled",
"8217": "Not enabled",
"8218": "No state",
"8219": "Sent first (EM attributes) payload",
"8220": "Sent second (SSPI) payload",
"8221": "Sent third (hash) payload",
"8222": "IKEv1",
"8223": "AuthIP",
"8224": "Anonymous",
"8225": "NTLM V2",
"8226": "CGA",
"8227": "Certificate",
"8228": "SSL",
"8229": "None",
"8230": "DH group 1",
"8231": "DH group 2",
"8232": "DH group 14",
"8233": "DH group ECP 256",
"8234": "DH group ECP 384",
"8235": "AES-128",
"8236": "AES-192",
"8237": "AES-256",
"8238": "Certificate ECDSA P256",
"8239": "Certificate ECDSA P384",
"8240": "SSL ECDSA P256",
"8241": "SSL ECDSA P384",
"8242": "SHA 256",
"8243": "SHA 384",
"8244": "IKEv2",
"8245": "EAP payload sent",
"8246": "Authentication payload sent",
"8247": "EAP",
"8248": "DH group 24",
"8272": "System",
"8273": "Logon/Logoff",
"8274": "Object Access",
"8275": "Privilege Use",
"8276": "Detailed Tracking",
"8277": "Policy Change",
"8278": "Account Management",
"8279": "DS Access",
"8280": "Account Logon",
"8448": "Success removed",
"8449": "Success Added",
"8450": "Failure removed",
"8451": "Failure added",
"8452": "Success include removed",
"8453": "Success include added",
"8454": "Success exclude removed",
"8455": "Success exclude added",
"8456": "Failure include removed",
"8457": "Failure include added",
"8458": "Failure exclude removed",
"8459": "Failure exclude added",
"12288": "Security State Change",
"12289": "Security System Extension",
"12290": "System Integrity",
"12291": "IPsec Driver",
"12292": "Other System Events",
"12544": "Logon",
"12545": "Logoff",
"12546": "Account Lockout",
"12547": "IPsec Main Mode",
"12548": "Special Logon",
"12549": "IPsec Quick Mode",
"12550": "IPsec Extended Mode",
"12551": "Other Logon/Logoff Events",
"12552": "Network Policy Server",
"12553": "User / Device Claims",
"12554": "Group Membership",
"12800": "File System",
"12801": "Registry",
"12802": "Kernel Object",
"12803": "SAM",
"12804": "Other Object Access Events",
"12805": "Certification Services",
"12806": "Application Generated",
"12807": "Handle Manipulation",
"12808": "File Share",
"12809": "Filtering Platform Packet Drop",
"12810": "Filtering Platform Connection",
"12811": "Detailed File Share",
"12812": "Removable Storage",
"12813": "Central Policy Staging",
"13056": "Sensitive Privilege Use",
"13057": "Non Sensitive Privilege Use",
"13058": "Other Privilege Use Events",
"13312": "Process Creation",
"13313": "Process Termination",
"13314": "DPAPI Activity",
"13315": "RPC Events",
"13316": "Plug and Play Events",
"13317": "Token Right Adjusted Events",
"13568": "Audit Policy Change",
"13569": "Authentication Policy Change",
"13570": "Authorization Policy Change",
"13571": "MPSSVC Rule-Level Policy Change",
"13572": "Filtering Platform Policy Change",
"13573": "Other Policy Change Events",
"13824": "User Account Management",
"13825": "Computer Account Management",
"13826": "Security Group Management",
"13827": "Distribution Group Management",
"13828": "Application Group Management",
"13829": "Other Account Management Events",
"14080": "Directory Service Access",
"14081": "Directory Service Changes",
"14082": "Directory Service Replication",
"14083": "Detailed Directory Service Replication",
"14336": "Credential Validation",
"14337": "Kerberos Service Ticket Operations",
"14338": "Other Account Logon Events",
"14339": "Kerberos Authentication Service",
"14592": "Inbound",
"14593": "Outbound",
"14594": "Forward",
"14595": "Bidirectional",
"14596": "IP Packet",
"14597": "Transport",
"14598": "Forward",
"14599": "Stream",
"14600": "Datagram Data",
"14601": "ICMP Error",
"14602": "MAC 802.3",
"14603": "MAC Native",
"14604": "vSwitch",
"14608": "Resource Assignment",
"14609": "Listen",
"14610": "Receive/Accept",
"14611": "Connect",
"14612": "Flow Established",
"14614": "Resource Release",
"14615": "Endpoint Closure",
"14616": "Connect Redirect",
"14617": "Bind Redirect",
"14624": "Stream Packet",
"14640": "ICMP Echo-Request",
"14641": "vSwitch Ingress",
"14642": "vSwitch Egress",
"14672": "<Binary>",
"14673": "[NULL]",
"14674": "Value Added",
"14675": "Value Deleted",
"14676": "Active Directory Domain Services",
"14677": "Active Directory Lightweight Directory Services",
"14678": "Yes",
"14679": "No",
"14680": "Value Added With Expiration Time",
"14681": "Value Deleted With Expiration Time",
"14688": "Value Auto Deleted With Expiration Time",
"16384": "Add",
"16385": "Delete",
"16386": "Boot-time",
"16387": "Persistent",
"16388": "Not persistent",
"16389": "Block",
"16390": "Permit",
"16391": "Callout",
"16392": "MD5",
"16393": "SHA-1",
"16394": "SHA-256",
"16395": "AES-GCM 128",
"16396": "AES-GCM 192",
"16397": "AES-GCM 256",
"16398": "DES",
"16399": "3DES",
"16400": "AES-128",
"16401": "AES-192",
"16402": "AES-256",
"16403": "Transport",
"16404": "Tunnel",
"16405": "Responder",
"16406": "Initiator",
"16407": "AES-GMAC 128",
"16408": "AES-GMAC 192",
"16409": "AES-GMAC 256",
"16416": "AuthNoEncap Transport",
"16896": "Enable WMI Account",
"16897": "Execute Method",
"16898": "Full Write",
"16899": "Partial Write",
"16900": "Provider Write",
"16901": "Remote Access",
"16902": "Subscribe",
"16903": "Publish",
};
// lookupMessageCode returns the string associated with the code. key should
// be the name of the field in evt containing the code (e.g. %%2313).
var lookupMessageCode = function (evt, key) {
var code = evt.Get(key);
if (!code) {
return;
}
code = code.replace("%%", "");
return msobjsMessageTable[code];
};
var addEventFields = function(evt){
var code = evt.Get("event.code");
if (!code) {
return;
}
var eventActionDescription = eventActionTypes[code][2];
if (eventActionDescription) {
evt.AppendTo("event.category", eventActionTypes[code][0]);
evt.AppendTo("event.type", eventActionTypes[code][1]);
evt.Put("event.action", eventActionTypes[code][2]);
}
};
var addLogonType = function(evt) {
var code = evt.Get("winlog.event_data.LogonType");
if (!code) {
return;
}
var descriptiveLogonType = logonTypes[code];
if (descriptiveLogonType === undefined) {
return;
}
evt.Put("winlog.logon.type", descriptiveLogonType);
};
var addFailureCode = function(evt) {
var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason");
if (!msg) {
return;
}
evt.Put("winlog.logon.failure.reason", msg);
};
var addFailureStatus = function(evt) {
var code = evt.Get("winlog.event_data.Status");
if (!code) {
return;
}
var descriptiveFailureStatus = logonFailureStatus[code];
if (descriptiveFailureStatus === undefined) {
return;
}
evt.Put("winlog.logon.failure.status", descriptiveFailureStatus);
};
var addFailureSubStatus = function(evt) {
var code = evt.Get("winlog.event_data.SubStatus");
if (!code) {
return;
}
var descriptiveFailureStatus = logonFailureStatus[code];
if (descriptiveFailureStatus === undefined) {
return;
}
evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus);
};
var addUACDescription = function(evt) {
var code = evt.Get("winlog.event_data.NewUacValue");
if (!code) {
return;
}
var uacCode = parseInt(code);
var uacResult = [];
for (var i = 0; i < uacFlags.length; i++) {
if ((uacCode | uacFlags[i][0]) === uacCode) {
uacResult.push(uacFlags[i][1]);
}
}
if (uacResult) {
evt.Put("winlog.event_data.NewUACList", uacResult);
}
var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String);
if (!uacList) {
return;
}
evt.Put("winlog.event_data.UserAccountControl", uacList);
};
var addAuditInfo = function(evt) {
var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase();
if (!subcategoryGuid) {
return;
}
if (!auditDescription[subcategoryGuid]) {
return;
}
evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]);
evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]);
var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(",");
var actionResults = [];
for (var j = 0; j < codedActions.length; j++) {
var actionCode = codedActions[j].replace("%%", '').replace(' ', '');
actionResults.push(auditActions[actionCode]);
}
evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults);
};
var addTicketOptionsDescription = function(evt) {
var code = evt.Get("winlog.event_data.TicketOptions");
if (!code) {
return;
}
var tktCode = parseInt(code, 16).toString(2);
var tktResult = [];
var tktCodeLen = tktCode.length;
for (var i = tktCodeLen; i >= 0; i--) {
if (tktCode[i] == 1) {
tktResult.push(ticketOptions[(32-tktCodeLen)+i]);
}
}
if (tktResult) {
evt.Put("winlog.event_data.TicketOptionsDescription", tktResult);
}
};
var addTicketEncryptionType = function(evt) {
var code = evt.Get("winlog.event_data.TicketEncryptionType");
if (!code) {
return;
}
var encTypeCode = code.toLowerCase();
evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]);
};
var addTicketStatus = function(evt) {
var code = evt.Get("winlog.event_data.Status");
if (!code) {
return;
}
evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]);
};
var addSessionData = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.AccountName", to: "user.name"},
{from: "winlog.event_data.AccountDomain", to: "user.domain"},
{from: "winlog.event_data.ClientAddress", to: "source.ip"},
{from: "winlog.event_data.ClientName", to: "source.domain"},
{from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
],
ignore_missing: true,
})
.Add(function(evt) {
var user = evt.Get("winlog.event_data.AccountName");
evt.AppendTo('related.user', user);
})
.Build();
var addServiceFields = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.ServiceName", to: "service.name"},
],
ignore_missing: true,
})
.Add(function(evt) {
var code = evt.Get("winlog.event_data.ServiceType");
if (!code) {
return;
}
evt.Put("service.type", serviceTypes[code]);
})
.Build();
var copyTargetUser = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.TargetUserSid", to: "user.id"},
{from: "winlog.event_data.TargetUserName", to: "user.name"},
{from: "winlog.event_data.TargetDomainName", to: "user.domain"},
],
ignore_missing: true,
})
.Add(function(evt) {
var user = evt.Get("winlog.event_data.TargetUserName");
if (/.@*/.test(user)) {
user = user.split('@')[0];
evt.Put('user.name', user);
}
evt.AppendTo('related.user', user);
})
.Build();
var copyTargetUserToGroup = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.TargetUserSid", to: "group.id"},
{from: "winlog.event_data.TargetUserName", to: "group.name"},
{from: "winlog.event_data.TargetDomainName", to: "group.domain"},
],
ignore_missing: true,
})
.Build();
var copyTargetUserToComputerObject = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"},
{from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"},
{from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"},
],
ignore_missing: true,
})
.Build();
var copyTargetUserLogonId = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"},
],
ignore_missing: true,
})
.Build();
var copySubjectUser = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.SubjectUserSid", to: "user.id"},
{from: "winlog.event_data.SubjectUserName", to: "user.name"},
{from: "winlog.event_data.SubjectDomainName", to: "user.domain"},
],
ignore_missing: true,
})
.Add(function(evt) {
var user = evt.Get("winlog.event_data.SubjectUserName");
evt.AppendTo('related.user', user);
})
.Build();
var copySubjectUserFromUserData = new processor.Chain()
.Convert({
fields: [
{from: "winlog.user_data.SubjectUserSid", to: "user.id"},
{from: "winlog.user_data.SubjectUserName", to: "user.name"},
{from: "winlog.user_data.SubjectDomainName", to: "user.domain"},
],
ignore_missing: true,
})
.Add(function(evt) {
var user = evt.Get("winlog.user_data.SubjectUserName");
evt.AppendTo('related.user', user);
})
.Build();
var copySubjectUserLogonId = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"},
],
ignore_missing: true,
})
.Build();
var copySubjectUserLogonIdFromUserData = new processor.Chain()
.Convert({
fields: [
{from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"},
],
ignore_missing: true,
})
.Build();
var renameCommonAuthFields = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.ProcessName", to: "process.executable"},
{from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
{from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
{from: "winlog.event_data.WorkstationName", to: "source.domain"},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(function(evt) {
var name = evt.Get("process.name");
if (name) {
return;
}
var exe = evt.Get("process.executable");
if (!exe) {
return;
}
evt.Put("process.name", path.basename(exe));
})
.Build();
var renameNewProcessFields = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.NewProcessName", to: "process.executable"},
{from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(function(evt) {
var name = evt.Get("process.name");
if (name) {
return;
}
var exe = evt.Get("process.executable");
if (!exe) {
return;
}
evt.Put("process.name", path.basename(exe));
})
.Add(function(evt) {
var name = evt.Get("process.parent.name");
if (name) {
return;
}
var exe = evt.Get("process.parent.executable");
if (!exe) {
return;
}
evt.Put("process.parent.name", path.basename(exe));
})
.Add(function(evt) {
var cl = evt.Get("winlog.event_data.CommandLine");
if (!cl) {
return;
}
evt.Put("process.args", windows.splitCommandLine(cl));
evt.Put("process.command_line", cl);
})
.Build();
// Handles 4634 and 4647.
var logoff = new processor.Chain()
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addLogonType)
.Add(addEventFields)
.Build();
// Handles both 4624
var logonSuccess = new processor.Chain()
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addLogonType)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Add(function(evt) {
var user = evt.Get("winlog.event_data.SubjectUserName");
if (user) {
var res = /^-$/.test(user);
if (!res) {
evt.AppendTo('related.user', user);
}
}
})
.Build();
// Handles both 4648
var event4648 = new processor.Chain()
.Add(copyTargetUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Add(function(evt) {
var user = evt.Get("winlog.event_data.SubjectUserName");
if (user) {
var res = /^-$/.test(user);
if (!res) {
evt.AppendTo('related.user', user);
}
}
})
.Build();
var event4625 = new processor.Chain()
.Add(copyTargetUser)
.Add(copySubjectUserLogonId)
.Add(addLogonType)
.Add(addFailureCode)
.Add(addFailureStatus)
.Add(addFailureSubStatus)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Build();
var event4672 = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(function(evt) {
var privs = evt.Get("winlog.event_data.PrivilegeList");
if (!privs) {
return;
}
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
})
.Add(addEventFields)
.Build();
var event4688 = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameNewProcessFields)
.Add(addEventFields)
.Add(function(evt) {
var user = evt.Get("winlog.event_data.TargetUserName");
var res = /^-$/.test(user);
if (!res) {
evt.AppendTo('related.user', user);
}
})
.Build();
var event4689 = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Build();
var event4697 = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addServiceFields)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "change");
})
.Build();
var userMgmtEvts = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addUACDescription)
.Add(addEventFields)
.Add(function(evt) {
var user = evt.Get("winlog.event_data.TargetUserName");
evt.AppendTo('related.user', user);
evt.AppendTo("event.type", "user");
})
.Build();
var userRenamed = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(addEventFields)
.Add(function(evt) {
var userNew = evt.Get("winlog.event_data.NewTargetUserName");
evt.AppendTo('related.user', userNew);
var userOld = evt.Get("winlog.event_data.OldTargetUserName");
evt.AppendTo('related.user', userOld);
evt.AppendTo("event.type", "user");
})
.Build();
var groupMgmtEvts = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(copyTargetUserToGroup)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "group");
var member = evt.Get("winlog.event_data.MemberName");
if (!member) {
return;
}
evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', ''));
})
.Build();
var auditLogCleared = new processor.Chain()
.Add(copySubjectUserFromUserData)
.Add(copySubjectUserLogonIdFromUserData)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "change");
})
.Build();
var auditChanged = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addAuditInfo)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "change");
})
.Build();
var auditLogMgmt = new processor.Chain()
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Build();
var computerMgmtEvts = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(copyTargetUserToComputerObject)
.Add(renameCommonAuthFields)
.Add(addUACDescription)
.Add(addEventFields)
.Add(function(evt) {
var privs = evt.Get("winlog.event_data.PrivilegeList");
if (!privs) {
return;
}
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
evt.AppendTo("event.type", "admin");
})
.Build();
var sessionEvts = new processor.Chain()
.Add(addSessionData)
.Add(addEventFields)
.Build();
var event4964 = new processor.Chain()
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "group");
})
.Build();
var kerberosTktEvts = new processor.Chain()
.Add(copyTargetUser)
.Add(renameCommonAuthFields)
.Add(addTicketOptionsDescription)
.Add(addTicketEncryptionType)
.Add(addTicketStatus)
.Add(addEventFields)
.Add(function(evt) {
var ip = evt.Get("source.ip");
if (/::ffff:/.test(ip)) {
evt.Put("source.ip", ip.replace("::ffff:", ""));
}
})
.Build();
var event4776 = new processor.Chain()
.Add(copyTargetUser)
.Add(addFailureStatus)
.Add(addEventFields)
.Build();
var scheduledTask = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(addEventFields)
.Add(function(evt) {
evt.AppendTo("event.type", "admin");
})
.Build();
var sensitivePrivilege = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addEventFields)
.Add(function(evt) {
var privs = evt.Get("winlog.event_data.PrivilegeList");
if (!privs) {
return;
}
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
})
.Add(function(evt){
var maskCodes = evt.Get("winlog.event_data.AccessMask");
if (!maskCodes) {
return;
}
var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String);
evt.Put("winlog.event_data.AccessMask", maskList);
var maskResults = [];
for (var j = 0; j < maskList.length; j++) {
var description = msobjsMessageTable[maskList[j]];
if (description === undefined) {
return;
}
maskResults.push(description);
}
evt.Put("winlog.event_data.AccessMaskDescription", maskResults);
})
.Build();
return {
// 1100 - The event logging service has shut down.
1100: auditLogMgmt.Run,
// 1102 - The audit log was cleared.
1102: auditLogCleared.Run,
// 1104 - The security log is now full.
1104: auditLogMgmt.Run,
// 1105 - Event log automatic backup.
1105: auditLogMgmt.Run,
// 1108 - The event logging service encountered an error while processing an incoming event published from %1
1108: auditLogMgmt.Run,
// 4624 - An account was successfully logged on.
4624: logonSuccess.Run,
// 4625 - An account failed to log on.
4625: event4625.Run,
// 4634 - An account was logged off.
4634: logoff.Run,
// 4647 - User initiated logoff.
4647: logoff.Run,
// 4648 - A logon was attempted using explicit credentials.
4648: event4648.Run,
// 4672 - Special privileges assigned to new logon.
4672: event4672.Run,
// 4673 - A privileged service was called.
4673: sensitivePrivilege.Run,
// 4674 - An operation was attempted on a privileged object.
4674: sensitivePrivilege.Run,
// 4688 - A new process has been created.
4688: event4688.Run,
// 4689 - A process has exited.
4689: event4689.Run,
// 4697 - A service was installed in the system.
4697: event4697.Run,
// 4698 - A scheduled task was created.
4698: scheduledTask.Run,
// 4699 - A scheduled task was deleted.
4699: scheduledTask.Run,
// 4700 - A scheduled task was enabled.
4700: scheduledTask.Run,
// 4701 - A scheduled task was disabled.
4701: scheduledTask.Run,
// 4702 - A scheduled task was updated.
4702: scheduledTask.Run,
// 4719 - System audit policy was changed.
4719: auditChanged.Run,
// 4720 - A user account was created
4720: userMgmtEvts.Run,
// 4722 - A user account was enabled
4722: userMgmtEvts.Run,
// 4723 - An attempt was made to change an account's password
4723: userMgmtEvts.Run,
// 4724 - An attempt was made to reset an account's password
4724: userMgmtEvts.Run,
// 4725 - A user account was disabled.
4725: userMgmtEvts.Run,
// 4726 - An user account was deleted.
4726: userMgmtEvts.Run,
// 4727 - A security-enabled global group was created.
4727: groupMgmtEvts.Run,
// 4728 - A member was added to a security-enabled global group.
4728: groupMgmtEvts.Run,
// 4729 - A member was removed from a security-enabled global group.
4729: groupMgmtEvts.Run,
// 4730 - A security-enabled global group was deleted.
4730: groupMgmtEvts.Run,
// 4731 - A security-enabled local group was created.
4731: groupMgmtEvts.Run,
// 4732 - A member was added to a security-enabled local group.
4732: groupMgmtEvts.Run,
// 4733 - A member was removed from a security-enabled local group.
4733: groupMgmtEvts.Run,
// 4734 - A security-enabled local group was deleted.
4734: groupMgmtEvts.Run,
// 4735 - A security-enabled local group was changed.
4735: groupMgmtEvts.Run,
// 4737 - A security-enabled global group was changed.
4737: groupMgmtEvts.Run,
// 4738 - An user account was changed.
4738: userMgmtEvts.Run,
// 4740 - An account was locked out
4740: userMgmtEvts.Run,
// 4741 - A computer account was created.
4741: computerMgmtEvts.Run,
// 4742 - A computer account was changed.
4742: computerMgmtEvts.Run,
// 4743 - A computer account was deleted.
4743: computerMgmtEvts.Run,
// 4744 - A security-disabled local group was created.
4744: groupMgmtEvts.Run,
// 4745 - A security-disabled local group was changed.
4745: groupMgmtEvts.Run,
// 4746 - A member was added to a security-disabled local group.
4746: groupMgmtEvts.Run,
// 4747 - A member was removed from a security-disabled local group.
4747: groupMgmtEvts.Run,
// 4748 - A security-disabled local group was deleted.
4748: groupMgmtEvts.Run,
// 4749 - A security-disabled global group was created.
4749: groupMgmtEvts.Run,
// 4750 - A security-disabled global group was changed.
4750: groupMgmtEvts.Run,
// 4751 - A member was added to a security-disabled global group.
4751: groupMgmtEvts.Run,
// 4752 - A member was removed from a security-disabled global group.
4752: groupMgmtEvts.Run,
// 4753 - A security-disabled global group was deleted.
4753: groupMgmtEvts.Run,
// 4754 - A security-enabled universal group was created.
4754: groupMgmtEvts.Run,
// 4755 - A security-enabled universal group was changed.
4755: groupMgmtEvts.Run,
// 4756 - A member was added to a security-enabled universal group.
4756: groupMgmtEvts.Run,
// 4757 - A member was removed from a security-enabled universal group.
4757: groupMgmtEvts.Run,
// 4758 - A security-enabled universal group was deleted.
4758: groupMgmtEvts.Run,
// 4759 - A security-disabled universal group was created.
4759: groupMgmtEvts.Run,
// 4760 - A security-disabled universal group was changed.
4760: groupMgmtEvts.Run,
// 4761 - A member was added to a security-disabled universal group.
4761: groupMgmtEvts.Run,
// 4762 - A member was removed from a security-disabled universal group.
4762: groupMgmtEvts.Run,
// 4763 - A security-disabled global group was deleted.
4763: groupMgmtEvts.Run,
// 4764 - A group\'s type was changed.
4764: groupMgmtEvts.Run,
// 4767 - A user account was unlocked.
4767: userMgmtEvts.Run,
// 4768 - A Kerberos authentication ticket TGT was requested.
4768: kerberosTktEvts.Run,
// 4769 - A Kerberos service ticket was requested.
4769: kerberosTktEvts.Run,
// 4770 - A Kerberos service ticket was renewed.
4770: kerberosTktEvts.Run,
// 4771 - Kerberos pre-authentication failed.
4771: kerberosTktEvts.Run,
// 4776 - The computer attempted to validate the credentials for an account.
4776: event4776.Run,
// 4778 - A session was reconnected to a Window Station.
4778: sessionEvts.Run,
// 4779 - A session was disconnected from a Window Station.
4779: sessionEvts.Run,
// 4781 - The name of an account was changed.
4781: userRenamed.Run,
// 4798 - A user's local group membership was enumerated.
4798: userMgmtEvts.Run,
// 4799 - A security-enabled local group membership was enumerated.
4799: groupMgmtEvts.Run,
// 4964 - Special groups have been assigned to a new logon.
4964: event4964.Run,
process: function(evt) {
var eventId = evt.Get("winlog.event_id");
var processor = this[eventId];
if (processor === undefined) {
return;
}
evt.Put("event.module", "security");
processor(evt);
},
};
})();
function process(evt) {
return security.process(evt);
}
- id: 59f6c6b5-6418-4125-9daa-9853f8c77855
name: system-1
revision: 1
type: system/metrics
use_output: default
meta:
package:
name: system
version: 0.10.9
data_stream:
namespace: name
streams:
- id: system/metrics-system.process-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.process
type: metrics
metricsets:
- process
period: 10s
process.include_top_n.by_cpu: 5
process.include_top_n.by_memory: 5
process.cmdline.cache.enabled: true
process.cgroups.enabled: false
process.include_cpu_ticks: false
processes:
- .*
- id: system/metrics-system.cpu-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.cpu
type: metrics
metricsets:
- cpu
cpu.metrics:
- percentages
- normalized_percentages
period: 10s
- id: >-
system/metrics-system.socket_summary-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.socket_summary
type: metrics
metricsets:
- socket_summary
period: 10s
- id: system/metrics-system.load-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.load
type: metrics
metricsets:
- load
condition: '${host.platform} != ''windows'''
period: 10s
- id: system/metrics-system.diskio-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.diskio
type: metrics
metricsets:
- diskio
diskio.include_devices: null
period: 10s
- id: system/metrics-system.filesystem-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.filesystem
type: metrics
metricsets:
- filesystem
period: 1m
processors:
- drop_event.when.regexp:
system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- id: system/metrics-system.fsstat-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.fsstat
type: metrics
metricsets:
- fsstat
period: 1m
processors:
- drop_event.when.regexp:
system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- id: system/metrics-system.uptime-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.uptime
type: metrics
metricsets:
- uptime
period: 10s
- id: >-
system/metrics-system.process_summary-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.process_summary
type: metrics
metricsets:
- process_summary
period: 10s
- id: system/metrics-system.memory-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.memory
type: metrics
metricsets:
- memory
period: 10s
- id: system/metrics-system.network-59f6c6b5-6418-4125-9daa-9853f8c77855
data_stream:
dataset: system.network
type: metrics
metricsets:
- network
period: 10s
network.interfaces: null
- id: 7db6cd6d-d8e3-47ea-bdca-d87632797de8
name: Policy.Name
revision: 1
type: endpoint
use_output: default
meta:
package:
name: endpoint
version: 0.18.0
data_stream:
namespace: name
artifact_manifest:
manifest_version: 1.0.5
schema_version: v1
artifacts:
endpoint-exceptionlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-exceptionlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/endpoint/artifacts/download/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-windows-v1:
encryption_algorithm: none
decoded_sha256: 066c3745f1d402e1632c8c53fd947eaea7bb2e85566c3716f51630713783c4ca
decoded_size: 652
encoded_sha256: c800af98d4b0d6f5bed9da86541d335fe81a2f0b17770c39408a41063247b3e3
encoded_size: 209
relative_url: >-
/api/endpoint/artifacts/download/endpoint-trustlist-windows-v1/066c3745f1d402e1632c8c53fd947eaea7bb2e85566c3716f51630713783c4ca
compression_algorithm: zlib
endpoint-trustlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/endpoint/artifacts/download/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
policy:
windows:
events:
dll_and_driver_load: true
dns: true
file: true
network: true
process: true
registry: true
security: true
malware:
mode: prevent
ransomware:
mode: 'off'
popup:
malware:
enabled: true
message: ''
ransomware:
enabled: false
message: ''
logging:
file: info
antivirus_registration:
enabled: false
mac:
events:
process: true
file: true
network: true
malware:
mode: prevent
popup:
malware:
enabled: true
message: ''
logging:
file: info
linux:
events:
process: true
file: true
network: true
logging:
file: info
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment