Untitled

mail@pastecode.io avatar
unknown
plain_text
a month ago
866 B
2
Indexable
Never
event_platform=Win ComputerName="AMB00285526HS" #event_simpleName=ProcessRollup2 FileName=cmd.exe 
// | parseHexString(field="IntegrityLevel")
| IntegrityLevel := format(field=IntegrityLevel, "0x%X")
| replace(field=TokenType, regex="1", with="PRIMARY")
| replace(field=TokenType, regex="2", with="IMPERSONATION")
| replace(field=IntegrityLevel, regex="0x0000", with="UNSTRUSTED")
| replace(field=IntegrityLevel, regex="0x1000", with="LOW")
| replace(field=IntegrityLevel, regex="0x2000", with="MEDIUM")
| replace(field=IntegrityLevel, regex="0x2100", with="MEDIUM-HIGH")
| replace(field=IntegrityLevel, regex="0x3000", with="HIGH")
| replace(field=IntegrityLevel, regex="0x4000", with="SYSTEM")
| replace(field=IntegrityLevel, regex="0x5000", with="PROTECTED")
| table([@timestamp, ComputerName, UserName, FileName, FilePath, TokenType, IntegrityLevel])
Leave a Comment