Skip to content

Commit e1c1cee

Browse files
JocLRojasJocLRojas
committed
update windows-events filter
1 parent c7142ee commit e1c1cee

File tree

1 file changed

+30
-30
lines changed

1 file changed

+30
-30
lines changed

filters/windows/windows-events.yml

Lines changed: 30 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -2282,210 +2282,210 @@ pipeline:
22822282
params:
22832283
key: log.accessType
22842284
value: 'read'
2285-
where: equals("log.eventDataAccessMask", "0x1") && equals("log.eventCode", 4663)
2285+
where: equals("log.eventDataAccessMask", "1") && equals("log.eventCode", 4663)
22862286

22872287
- add:
22882288
function: 'string'
22892289
params:
22902290
key: log.accessDescription
22912291
value: 'For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.\n For a directory, the right to list the contents of the directory.\n For registry objects, this is, Query key value.'
2292-
where: equals("log.eventDataAccessMask", "0x1") && equals("log.eventCode", 4663)
2292+
where: equals("log.eventDataAccessMask", "1") && equals("log.eventCode", 4663)
22932293

22942294
- add:
22952295
function: 'string'
22962296
params:
22972297
key: log.accessType
22982298
value: 'write'
2299-
where: equals("log.eventDataAccessMask", "0x2") && equals("log.eventCode", 4663)
2299+
where: equals("log.eventDataAccessMask", "2") && equals("log.eventCode", 4663)
23002300

23012301
- add:
23022302
function: 'string'
23032303
params:
23042304
key: log.accessDescription
23052305
value: 'For a file object, the right to write data to the file.\n For a directory object, the right to create a file in the directory.\n For registry objects, this is, Set key value.'
2306-
where: equals("log.eventDataAccessMask", "0x2") && equals("log.eventCode", 4663)
2306+
where: equals("log.eventDataAccessMask", "2") && equals("log.eventCode", 4663)
23072307

23082308
- add:
23092309
function: 'string'
23102310
params:
23112311
key: log.accessType
23122312
value: 'append'
2313-
where: equals("log.eventDataAccessMask", "0x4") && equals("log.eventCode", 4663)
2313+
where: equals("log.eventDataAccessMask", "4") && equals("log.eventCode", 4663)
23142314

23152315
- add:
23162316
function: 'string'
23172317
params:
23182318
key: log.accessDescription
23192319
value: 'For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.)\n For a directory object, the right to create a subdirectory.\n For a named pipe, the right to create a pipe.'
2320-
where: equals("log.eventDataAccessMask", "0x4") && equals("log.eventCode", 4663)
2320+
where: equals("log.eventDataAccessMask", "4") && equals("log.eventCode", 4663)
23212321

23222322
- add:
23232323
function: 'string'
23242324
params:
23252325
key: log.accessType
23262326
value: 'read_extended_attributes'
2327-
where: equals("log.eventDataAccessMask", "0x8") && equals("log.eventCode", 4663)
2327+
where: equals("log.eventDataAccessMask", "8") && equals("log.eventCode", 4663)
23282328

23292329
- add:
23302330
function: 'string'
23312331
params:
23322332
key: log.accessDescription
23332333
value: 'The right to read extended file attributes.\n For registry objects, this is, Enumerate sub-keys.'
2334-
where: equals("log.eventDataAccessMask", "0x8") && equals("log.eventCode", 4663)
2334+
where: equals("log.eventDataAccessMask", "8") && equals("log.eventCode", 4663)
23352335

23362336
- add:
23372337
function: 'string'
23382338
params:
23392339
key: log.accessType
23402340
value: 'write_extended_attributes'
2341-
where: equals("log.eventDataAccessMask", "0x10") && equals("log.eventCode", 4663)
2341+
where: equals("log.eventDataAccessMask", "16") && equals("log.eventCode", 4663)
23422342

23432343
- add:
23442344
function: 'string'
23452345
params:
23462346
key: log.accessDescription
23472347
value: 'The right to write extended file attributes.'
2348-
where: equals("log.eventDataAccessMask", "0x10") && equals("log.eventCode", 4663)
2348+
where: equals("log.eventDataAccessMask", "16") && equals("log.eventCode", 4663)
23492349

23502350
- add:
23512351
function: 'string'
23522352
params:
23532353
key: log.accessType
23542354
value: 'execute'
2355-
where: equals("log.eventDataAccessMask", "0x20") && equals("log.eventCode", 4663)
2355+
where: equals("log.eventDataAccessMask", "32") && equals("log.eventCode", 4663)
23562356

23572357
- add:
23582358
function: 'string'
23592359
params:
23602360
key: log.accessDescription
23612361
value: 'For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.\n For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING privilege, which ignores the FILE_TRAVERSE access right.'
2362-
where: equals("log.eventDataAccessMask", "0x20") && equals("log.eventCode", 4663)
2362+
where: equals("log.eventDataAccessMask", "32") && equals("log.eventCode", 4663)
23632363

23642364
- add:
23652365
function: 'string'
23662366
params:
23672367
key: log.accessType
23682368
value: 'delete_child'
2369-
where: equals("log.eventDataAccessMask", "0x40") && equals("log.eventCode", 4663)
2369+
where: equals("log.eventDataAccessMask", "64") && equals("log.eventCode", 4663)
23702370

23712371
- add:
23722372
function: 'string'
23732373
params:
23742374
key: log.accessDescription
23752375
value: 'For a directory, the right to delete a directory and all the files it contains, including read-only files.'
2376-
where: equals("log.eventDataAccessMask", "0x40") && equals("log.eventCode", 4663)
2376+
where: equals("log.eventDataAccessMask", "64") && equals("log.eventCode", 4663)
23772377

23782378
- add:
23792379
function: 'string'
23802380
params:
23812381
key: log.accessType
23822382
value: 'read_attributes'
2383-
where: equals("log.eventDataAccessMask", "0x80") && equals("log.eventCode", 4663)
2383+
where: equals("log.eventDataAccessMask", "128") && equals("log.eventCode", 4663)
23842384

23852385
- add:
23862386
function: 'string'
23872387
params:
23882388
key: log.accessDescription
23892389
value: 'The right to read file attributes.'
2390-
where: equals("log.eventDataAccessMask", "0x80") && equals("log.eventCode", 4663)
2390+
where: equals("log.eventDataAccessMask", "128") && equals("log.eventCode", 4663)
23912391

23922392
- add:
23932393
function: 'string'
23942394
params:
23952395
key: log.accessType
23962396
value: 'write_attributes'
2397-
where: equals("log.eventDataAccessMask", "0x100") && equals("log.eventCode", 4663)
2397+
where: equals("log.eventDataAccessMask", "256") && equals("log.eventCode", 4663)
23982398

23992399
- add:
24002400
function: 'string'
24012401
params:
24022402
key: log.accessDescription
24032403
value: 'The right to write file attributes.'
2404-
where: equals("log.eventDataAccessMask", "0x100") && equals("log.eventCode", 4663)
2404+
where: equals("log.eventDataAccessMask", "256") && equals("log.eventCode", 4663)
24052405

24062406
- add:
24072407
function: 'string'
24082408
params:
24092409
key: log.accessType
24102410
value: 'delete'
2411-
where: equals("log.eventDataAccessMask", "0x10000") && equals("log.eventCode", 4663)
2411+
where: equals("log.eventDataAccessMask", "65536") && equals("log.eventCode", 4663)
24122412

24132413
- add:
24142414
function: 'string'
24152415
params:
24162416
key: log.accessDescription
24172417
value: 'The right to delete the object.'
2418-
where: equals("log.eventDataAccessMask", "0x10000") && equals("log.eventCode", 4663)
2418+
where: equals("log.eventDataAccessMask", "65536") && equals("log.eventCode", 4663)
24192419

24202420
- add:
24212421
function: 'string'
24222422
params:
24232423
key: log.accessType
24242424
value: 'read_control'
2425-
where: equals("log.eventDataAccessMask", "0x20000") && equals("log.eventCode", 4663)
2425+
where: equals("log.eventDataAccessMask", "131072") && equals("log.eventCode", 4663)
24262426

24272427
- add:
24282428
function: 'string'
24292429
params:
24302430
key: log.accessDescription
24312431
value: 'The right to read information in the security descriptor object, without including the information in the system access control list (SACL).'
2432-
where: equals("log.eventDataAccessMask", "0x20000") && equals("log.eventCode", 4663)
2432+
where: equals("log.eventDataAccessMask", "131072") && equals("log.eventCode", 4663)
24332433

24342434
- add:
24352435
function: 'string'
24362436
params:
24372437
key: log.accessType
24382438
value: 'write_dac'
2439-
where: equals("log.eventDataAccessMask", "0x40000") && equals("log.eventCode", 4663)
2439+
where: equals("log.eventDataAccessMask", "262144") && equals("log.eventCode", 4663)
24402440

24412441
- add:
24422442
function: 'string'
24432443
params:
24442444
key: log.accessDescription
24452445
value: 'The right to modify the discretionary access control list (DACL) in the security descriptor object.'
2446-
where: equals("log.eventDataAccessMask", "0x40000") && equals("log.eventCode", 4663)
2446+
where: equals("log.eventDataAccessMask", "262144") && equals("log.eventCode", 4663)
24472447

24482448
- add:
24492449
function: 'string'
24502450
params:
24512451
key: log.accessType
24522452
value: 'write_owner'
2453-
where: equals("log.eventDataAccessMask", "0x80000") && equals("log.eventCode", 4663)
2453+
where: equals("log.eventDataAccessMask", "524288") && equals("log.eventCode", 4663)
24542454

24552455
- add:
24562456
function: 'string'
24572457
params:
24582458
key: log.accessDescription
24592459
value: 'The right to change the owner in the security descriptor object'
2460-
where: equals("log.eventDataAccessMask", "0x80000") && equals("log.eventCode", 4663)
2460+
where: equals("log.eventDataAccessMask", "524288") && equals("log.eventCode", 4663)
24612461

24622462
- add:
24632463
function: 'string'
24642464
params:
24652465
key: log.accessType
24662466
value: 'synchronize'
2467-
where: equals("log.eventDataAccessMask", "0x100000") && equals("log.eventCode", 4663)
2467+
where: equals("log.eventDataAccessMask", "1048576") && equals("log.eventCode", 4663)
24682468

24692469
- add:
24702470
function: 'string'
24712471
params:
24722472
key: log.accessDescription
24732473
value: 'The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.'
2474-
where: equals("log.eventDataAccessMask", "0x100000") && equals("log.eventCode", 4663)
2474+
where: equals("log.eventDataAccessMask", "1048576") && equals("log.eventCode", 4663)
24752475

24762476
- add:
24772477
function: 'string'
24782478
params:
24792479
key: log.accessType
24802480
value: 'access_sys_sec'
2481-
where: equals("log.eventDataAccessMask", "0x1000000") && equals("log.eventCode", 4663)
2481+
where: equals("log.eventDataAccessMask", "16777216") && equals("log.eventCode", 4663)
24822482

24832483
- add:
24842484
function: 'string'
24852485
params:
24862486
key: log.accessDescription
24872487
value: 'The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an security descriptor object.'
2488-
where: equals("log.eventDataAccessMask", "0x1000000") && equals("log.eventCode", 4663)
2488+
where: equals("log.eventDataAccessMask", "16777216") && equals("log.eventCode", 4663)
24892489

24902490
# Decoding the "eventStatus" field
24912491
- add:

0 commit comments

Comments
 (0)