Beats: [Winlogbeat] Decode AccessList from auditing messages

Hello Adrian,
There is a list on %windir%\system32msobjs.dll

I am following this instructions.
http://blog.ivanspiridonov.com/?p=407

I will try to help you out with this. :)

Windows 10 list from msobjs.dll converted to go map structure
https://gist.github.com/leopucci/25a06a305a2a74f297eab1493a136dcb
Tomorrow I will understand the behavior and convert it to text. o/!

Finishing other issues before starting this one.
Just a note for myself or anyone that wants to help
Good starting point winlogbeat/sys/event_test.go - create test with Access List first.

This sounds like something that we could bake into the Security log processor I'm adding in this PR.

One thing I'd like to check is what event IDs have the AccessList parameter and do the values have the same meaning.

Many event ids will have the AccessList, but it will be alway using this pattern:

<Event>
 <EventData>
  <Data Name="AccessList">%%1537 %%4418 %%4417</Data>
 </EventData>
</Event>

The values have the same meaning since the XP windows. For new windows OS they might create new values, so if the value is not mapped, it should pass the %%1537 value (i think, just to be sure that it will not pass 0 or "" ahead).

Windows 10 list from msobjs.dll converted to go map structure
https://gist.github.com/leopucci/25a06a305a2a74f297eab1493a136dcb

Gist for extracting the message table: https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue doesn't have a Team:<team> label.