Rendering access rights codes in Windows security audit records

[Kevin Branch]

It seems that Windows security audit records contain codes for access rights which are rendered to be human readable in the Windows Event Viewer but the underlying log record is full of many access rights codes like %%1541.  For example, this part of such a record is displayed as

Access Reasons:		READ_CONTROL:	Granted by	D:(A;ID;0x1200a9;;;BU)
				SYNCHRONIZE:	Granted by	D:(A;ID;0x1200a9;;;BU)
				ReadData (or ListDirectory):	Granted by	D:(A;ID;0x1200a9;;;BU)
				ReadEA:	Granted by	D:(A;ID;0x1200a9;;;BU)
				ReadAttributes:	Granted by	D:(A;ID;0x1200a9;;;BU)

but in the underlying XML of the Windows log entry, which is what the OSSEC agent feeds to ELK, it looks like this:

<Data Name="AccessReason">%%1538: %%1801 D:(A;ID;0x1200a9;;;BU)

				%%1541:	%%1801	D:(A;ID;0x1200a9;;;BU)
				%%4416:	%%1801	D:(A;ID;0x1200a9;;;BU)
				%%4419:	%%1801	D:(A;ID;0x1200a9;;;BU)
				%%4423:	%%1801	D:(A;ID;0x1200a9;;;BU)
				</Data>

As a human, I like the human-readable form much better.  If the number of common codes is not too big, I was thinking I could configure Logstash to use mutate->gsub on such log records to search/replace the numeric codes with the textual names.  

Before I dive in I though I'd ask if anyone else has already taken a crack at this.  If not, I will do so, and would be happy to share the results with the group.

Kevin

[Jesus Linares]

Hi Kevin,

we don't have the mapping between codes and human readable access rights for logstash. Also, I'm not sure if these codes are consistent across Windows versions.

Windows should provide a way to log the access rights rendered to be human readable. As you said in ossec-list maybe a windows agent could do the translation. We will take a deeper look on this issue.

In the meantime, you can try it with logstash and mutate.

Thanks!.

Regards.