Adding to security module the parse of event.id equals to 4663

Elastic Stack Beats
1

Hello everyone,

I want to have control of file access using Winlogbeat with parsing event with id 4663...

I am modifying the "security" module so that it can read the events with that id. I have seen that there is a variable with all codes called "msobjsMessageTable" and the access code is of the form "%% 4423" for example.

The piece of code I make is:

var code = evt.Get("winlog.event_data.AccessList");
code = code.replace("%%","");
evt.Put("winlog.access.code", code);
var accesslistdescription = msobjsMessageTable[code];
if (!accesslistdescription) {
    evt.Put("winlog.acess.code_description", "Error");
    return;
}
evt.Put("winlog.acess.code_description", accesslistdescription);

But the variable "accesslistdescription" always return "Error" event though the code is specified inside the variable "msobjsMessageTable"....

What am I doing wrong?

Thank you very much in advance... I am really stuck in this and I don't know why :frowning:

2

There's already an example of this in the Security module. You can pull that out into a reusable function. Then use that function in a processor for 4663.

3

Hi @andrewkroh,

Thanks for the help! I have adapted my code with the example you have given me and it is working!

Thanks a lot!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.