Untitled
unknown
plain_text
a month ago
866 B
2
Indexable
Never
event_platform=Win ComputerName="AMB00285526HS" #event_simpleName=ProcessRollup2 FileName=cmd.exe // | parseHexString(field="IntegrityLevel") | IntegrityLevel := format(field=IntegrityLevel, "0x%X") | replace(field=TokenType, regex="1", with="PRIMARY") | replace(field=TokenType, regex="2", with="IMPERSONATION") | replace(field=IntegrityLevel, regex="0x0000", with="UNSTRUSTED") | replace(field=IntegrityLevel, regex="0x1000", with="LOW") | replace(field=IntegrityLevel, regex="0x2000", with="MEDIUM") | replace(field=IntegrityLevel, regex="0x2100", with="MEDIUM-HIGH") | replace(field=IntegrityLevel, regex="0x3000", with="HIGH") | replace(field=IntegrityLevel, regex="0x4000", with="SYSTEM") | replace(field=IntegrityLevel, regex="0x5000", with="PROTECTED") | table([@timestamp, ComputerName, UserName, FileName, FilePath, TokenType, IntegrityLevel])
Leave a Comment