private IEvent GetProcessCreationEvent(Dictionary <string, string> ev)
{
var commandline = GetEventPropertyFromMessage(ev[MessageFieldName], NewProcessCommandLineFieldName);
var executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName);
var payload = new ProcessCreationPayload
{
Executable = executable,
ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16),
ParentProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], CreatorProcessIdFieldName), 16),
UserName = GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1),
UserId = GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName),
CommandLine = string.IsNullOrWhiteSpace(commandline) ? executable : commandline,
Time = DateTime.Parse(ev[TimeGeneratedFieldName]),
ExtraDetails = new Dictionary <string, string>
{
{ $"CREATOR_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName) },
{ $"CREATOR_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) },
{ $"CREATOR_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) },
{ $"TARGET_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName, 1) },
{ $"TARGET_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName, 1) },
{ $"TARGET_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1) },
{ $"TARGET_{LogonIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName, 1) },
{ TokenElevationTypeFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], TokenElevationTypeFieldName) },
{ MandatoryLabelFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], MandatoryLabelFieldName) }
}
};
return(new ProcessCreate(AgentConfiguration.GetEventPriority <ProcessCreate>(), payload));
}
private IEvent GetProcessExitEvent(Dictionary <string, string> ev)
{
var payload = new ProcessTerminationPayload
{
Executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName),
ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16),
ExitStatus = Convert.ToInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ExitStatusFieldName), 16),
Time = DateTime.Parse(ev[TimeGeneratedFieldName]),
ExtraDetails = new Dictionary <string, string>
{
{ AccountDomainFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) },
{ AccountNameFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) },
{ LogonIdFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName) }
}
};
return(new ProcessTerminate(AgentConfiguration.GetEventPriority <ProcessTerminate>(), payload));
}