github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/accessors_windows.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2022-present Datadog, Inc. 5 // Code generated - DO NOT EDIT. 6 7 //go:build windows 8 9 package model 10 11 import ( 12 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 13 "reflect" 14 ) 15 16 func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) { 17 switch field { 18 case "process.ancestors": 19 return &ProcessAncestorsIterator{}, nil 20 } 21 return nil, &eval.ErrIteratorNotSupported{Field: field} 22 } 23 func (m *Model) GetEventTypes() []eval.EventType { 24 return []eval.EventType{ 25 eval.EventType("create"), 26 eval.EventType("create_key"), 27 eval.EventType("delete"), 28 eval.EventType("delete_key"), 29 eval.EventType("exec"), 30 eval.EventType("exit"), 31 eval.EventType("open_key"), 32 eval.EventType("rename"), 33 eval.EventType("set_key_value"), 34 eval.EventType("write"), 35 } 36 } 37 func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { 38 switch field { 39 case "container.created_at": 40 return &eval.IntEvaluator{ 41 EvalFnc: func(ctx *eval.Context) int { 42 ev := ctx.Event.(*Event) 43 return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)) 44 }, 45 Field: field, 46 Weight: eval.HandlerWeight, 47 }, nil 48 case "container.id": 49 return &eval.StringEvaluator{ 50 EvalFnc: func(ctx *eval.Context) string { 51 ev := ctx.Event.(*Event) 52 return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext) 53 }, 54 Field: field, 55 Weight: eval.HandlerWeight, 56 }, nil 57 case "container.tags": 58 return &eval.StringArrayEvaluator{ 59 EvalFnc: func(ctx *eval.Context) []string { 60 ev := ctx.Event.(*Event) 61 return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext) 62 }, 63 Field: field, 64 Weight: 9999 * eval.HandlerWeight, 65 }, nil 66 case "create.file.device_path": 67 return &eval.StringEvaluator{ 68 OpOverrides: eval.WindowsPathCmp, 69 EvalFnc: func(ctx *eval.Context) string { 70 ev := ctx.Event.(*Event) 71 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File) 72 }, 73 Field: field, 74 Weight: eval.HandlerWeight, 75 }, nil 76 case "create.file.device_path.length": 77 return &eval.IntEvaluator{ 78 OpOverrides: eval.WindowsPathCmp, 79 EvalFnc: func(ctx *eval.Context) int { 80 ev := ctx.Event.(*Event) 81 return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File)) 82 }, 83 Field: field, 84 Weight: eval.HandlerWeight, 85 }, nil 86 case "create.file.name": 87 return &eval.StringEvaluator{ 88 OpOverrides: eval.CaseInsensitiveCmp, 89 EvalFnc: func(ctx *eval.Context) string { 90 ev := ctx.Event.(*Event) 91 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File) 92 }, 93 Field: field, 94 Weight: eval.HandlerWeight, 95 }, nil 96 case "create.file.name.length": 97 return &eval.IntEvaluator{ 98 OpOverrides: eval.CaseInsensitiveCmp, 99 EvalFnc: func(ctx *eval.Context) int { 100 ev := ctx.Event.(*Event) 101 return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File)) 102 }, 103 Field: field, 104 Weight: eval.HandlerWeight, 105 }, nil 106 case "create.registry.key_name": 107 return &eval.StringEvaluator{ 108 EvalFnc: func(ctx *eval.Context) string { 109 ev := ctx.Event.(*Event) 110 return ev.CreateRegistryKey.Registry.KeyName 111 }, 112 Field: field, 113 Weight: eval.FunctionWeight, 114 }, nil 115 case "create.registry.key_name.length": 116 return &eval.IntEvaluator{ 117 EvalFnc: func(ctx *eval.Context) int { 118 ev := ctx.Event.(*Event) 119 return len(ev.CreateRegistryKey.Registry.KeyName) 120 }, 121 Field: field, 122 Weight: eval.FunctionWeight, 123 }, nil 124 case "create.registry.key_path": 125 return &eval.StringEvaluator{ 126 OpOverrides: eval.CaseInsensitiveCmp, 127 EvalFnc: func(ctx *eval.Context) string { 128 ev := ctx.Event.(*Event) 129 return ev.CreateRegistryKey.Registry.KeyPath 130 }, 131 Field: field, 132 Weight: eval.FunctionWeight, 133 }, nil 134 case "create.registry.key_path.length": 135 return &eval.IntEvaluator{ 136 OpOverrides: eval.CaseInsensitiveCmp, 137 EvalFnc: func(ctx *eval.Context) int { 138 ev := ctx.Event.(*Event) 139 return len(ev.CreateRegistryKey.Registry.KeyPath) 140 }, 141 Field: field, 142 Weight: eval.FunctionWeight, 143 }, nil 144 case "create_key.registry.key_name": 145 return &eval.StringEvaluator{ 146 EvalFnc: func(ctx *eval.Context) string { 147 ev := ctx.Event.(*Event) 148 return ev.CreateRegistryKey.Registry.KeyName 149 }, 150 Field: field, 151 Weight: eval.FunctionWeight, 152 }, nil 153 case "create_key.registry.key_name.length": 154 return &eval.IntEvaluator{ 155 EvalFnc: func(ctx *eval.Context) int { 156 ev := ctx.Event.(*Event) 157 return len(ev.CreateRegistryKey.Registry.KeyName) 158 }, 159 Field: field, 160 Weight: eval.FunctionWeight, 161 }, nil 162 case "create_key.registry.key_path": 163 return &eval.StringEvaluator{ 164 OpOverrides: eval.CaseInsensitiveCmp, 165 EvalFnc: func(ctx *eval.Context) string { 166 ev := ctx.Event.(*Event) 167 return ev.CreateRegistryKey.Registry.KeyPath 168 }, 169 Field: field, 170 Weight: eval.FunctionWeight, 171 }, nil 172 case "create_key.registry.key_path.length": 173 return &eval.IntEvaluator{ 174 OpOverrides: eval.CaseInsensitiveCmp, 175 EvalFnc: func(ctx *eval.Context) int { 176 ev := ctx.Event.(*Event) 177 return len(ev.CreateRegistryKey.Registry.KeyPath) 178 }, 179 Field: field, 180 Weight: eval.FunctionWeight, 181 }, nil 182 case "delete.file.device_path": 183 return &eval.StringEvaluator{ 184 OpOverrides: eval.WindowsPathCmp, 185 EvalFnc: func(ctx *eval.Context) string { 186 ev := ctx.Event.(*Event) 187 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File) 188 }, 189 Field: field, 190 Weight: eval.HandlerWeight, 191 }, nil 192 case "delete.file.device_path.length": 193 return &eval.IntEvaluator{ 194 OpOverrides: eval.WindowsPathCmp, 195 EvalFnc: func(ctx *eval.Context) int { 196 ev := ctx.Event.(*Event) 197 return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File)) 198 }, 199 Field: field, 200 Weight: eval.HandlerWeight, 201 }, nil 202 case "delete.file.name": 203 return &eval.StringEvaluator{ 204 OpOverrides: eval.CaseInsensitiveCmp, 205 EvalFnc: func(ctx *eval.Context) string { 206 ev := ctx.Event.(*Event) 207 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File) 208 }, 209 Field: field, 210 Weight: eval.HandlerWeight, 211 }, nil 212 case "delete.file.name.length": 213 return &eval.IntEvaluator{ 214 OpOverrides: eval.CaseInsensitiveCmp, 215 EvalFnc: func(ctx *eval.Context) int { 216 ev := ctx.Event.(*Event) 217 return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File)) 218 }, 219 Field: field, 220 Weight: eval.HandlerWeight, 221 }, nil 222 case "delete.registry.key_name": 223 return &eval.StringEvaluator{ 224 EvalFnc: func(ctx *eval.Context) string { 225 ev := ctx.Event.(*Event) 226 return ev.DeleteRegistryKey.Registry.KeyName 227 }, 228 Field: field, 229 Weight: eval.FunctionWeight, 230 }, nil 231 case "delete.registry.key_name.length": 232 return &eval.IntEvaluator{ 233 EvalFnc: func(ctx *eval.Context) int { 234 ev := ctx.Event.(*Event) 235 return len(ev.DeleteRegistryKey.Registry.KeyName) 236 }, 237 Field: field, 238 Weight: eval.FunctionWeight, 239 }, nil 240 case "delete.registry.key_path": 241 return &eval.StringEvaluator{ 242 OpOverrides: eval.CaseInsensitiveCmp, 243 EvalFnc: func(ctx *eval.Context) string { 244 ev := ctx.Event.(*Event) 245 return ev.DeleteRegistryKey.Registry.KeyPath 246 }, 247 Field: field, 248 Weight: eval.FunctionWeight, 249 }, nil 250 case "delete.registry.key_path.length": 251 return &eval.IntEvaluator{ 252 OpOverrides: eval.CaseInsensitiveCmp, 253 EvalFnc: func(ctx *eval.Context) int { 254 ev := ctx.Event.(*Event) 255 return len(ev.DeleteRegistryKey.Registry.KeyPath) 256 }, 257 Field: field, 258 Weight: eval.FunctionWeight, 259 }, nil 260 case "delete_key.registry.key_name": 261 return &eval.StringEvaluator{ 262 EvalFnc: func(ctx *eval.Context) string { 263 ev := ctx.Event.(*Event) 264 return ev.DeleteRegistryKey.Registry.KeyName 265 }, 266 Field: field, 267 Weight: eval.FunctionWeight, 268 }, nil 269 case "delete_key.registry.key_name.length": 270 return &eval.IntEvaluator{ 271 EvalFnc: func(ctx *eval.Context) int { 272 ev := ctx.Event.(*Event) 273 return len(ev.DeleteRegistryKey.Registry.KeyName) 274 }, 275 Field: field, 276 Weight: eval.FunctionWeight, 277 }, nil 278 case "delete_key.registry.key_path": 279 return &eval.StringEvaluator{ 280 OpOverrides: eval.CaseInsensitiveCmp, 281 EvalFnc: func(ctx *eval.Context) string { 282 ev := ctx.Event.(*Event) 283 return ev.DeleteRegistryKey.Registry.KeyPath 284 }, 285 Field: field, 286 Weight: eval.FunctionWeight, 287 }, nil 288 case "delete_key.registry.key_path.length": 289 return &eval.IntEvaluator{ 290 OpOverrides: eval.CaseInsensitiveCmp, 291 EvalFnc: func(ctx *eval.Context) int { 292 ev := ctx.Event.(*Event) 293 return len(ev.DeleteRegistryKey.Registry.KeyPath) 294 }, 295 Field: field, 296 Weight: eval.FunctionWeight, 297 }, nil 298 case "event.origin": 299 return &eval.StringEvaluator{ 300 EvalFnc: func(ctx *eval.Context) string { 301 ev := ctx.Event.(*Event) 302 return ev.BaseEvent.Origin 303 }, 304 Field: field, 305 Weight: eval.FunctionWeight, 306 }, nil 307 case "event.os": 308 return &eval.StringEvaluator{ 309 EvalFnc: func(ctx *eval.Context) string { 310 ev := ctx.Event.(*Event) 311 return ev.BaseEvent.Os 312 }, 313 Field: field, 314 Weight: eval.FunctionWeight, 315 }, nil 316 case "event.service": 317 return &eval.StringEvaluator{ 318 EvalFnc: func(ctx *eval.Context) string { 319 ev := ctx.Event.(*Event) 320 return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) 321 }, 322 Field: field, 323 Weight: eval.HandlerWeight, 324 }, nil 325 case "event.timestamp": 326 return &eval.IntEvaluator{ 327 EvalFnc: func(ctx *eval.Context) int { 328 ev := ctx.Event.(*Event) 329 return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)) 330 }, 331 Field: field, 332 Weight: eval.HandlerWeight, 333 }, nil 334 case "exec.cmdline": 335 return &eval.StringEvaluator{ 336 OpOverrides: eval.CaseInsensitiveCmp, 337 EvalFnc: func(ctx *eval.Context) string { 338 ev := ctx.Event.(*Event) 339 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process) 340 }, 341 Field: field, 342 Weight: 200 * eval.HandlerWeight, 343 }, nil 344 case "exec.container.id": 345 return &eval.StringEvaluator{ 346 EvalFnc: func(ctx *eval.Context) string { 347 ev := ctx.Event.(*Event) 348 return ev.Exec.Process.ContainerID 349 }, 350 Field: field, 351 Weight: eval.FunctionWeight, 352 }, nil 353 case "exec.created_at": 354 return &eval.IntEvaluator{ 355 EvalFnc: func(ctx *eval.Context) int { 356 ev := ctx.Event.(*Event) 357 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)) 358 }, 359 Field: field, 360 Weight: eval.HandlerWeight, 361 }, nil 362 case "exec.envp": 363 return &eval.StringArrayEvaluator{ 364 EvalFnc: func(ctx *eval.Context) []string { 365 ev := ctx.Event.(*Event) 366 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) 367 }, 368 Field: field, 369 Weight: 100 * eval.HandlerWeight, 370 }, nil 371 case "exec.envs": 372 return &eval.StringArrayEvaluator{ 373 EvalFnc: func(ctx *eval.Context) []string { 374 ev := ctx.Event.(*Event) 375 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process) 376 }, 377 Field: field, 378 Weight: 100 * eval.HandlerWeight, 379 }, nil 380 case "exec.file.name": 381 return &eval.StringEvaluator{ 382 OpOverrides: eval.CaseInsensitiveCmp, 383 EvalFnc: func(ctx *eval.Context) string { 384 ev := ctx.Event.(*Event) 385 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent) 386 }, 387 Field: field, 388 Weight: eval.HandlerWeight, 389 }, nil 390 case "exec.file.name.length": 391 return &eval.IntEvaluator{ 392 OpOverrides: eval.CaseInsensitiveCmp, 393 EvalFnc: func(ctx *eval.Context) int { 394 ev := ctx.Event.(*Event) 395 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)) 396 }, 397 Field: field, 398 Weight: eval.HandlerWeight, 399 }, nil 400 case "exec.file.path": 401 return &eval.StringEvaluator{ 402 OpOverrides: eval.WindowsPathCmp, 403 EvalFnc: func(ctx *eval.Context) string { 404 ev := ctx.Event.(*Event) 405 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) 406 }, 407 Field: field, 408 Weight: eval.HandlerWeight, 409 }, nil 410 case "exec.file.path.length": 411 return &eval.IntEvaluator{ 412 OpOverrides: eval.WindowsPathCmp, 413 EvalFnc: func(ctx *eval.Context) int { 414 ev := ctx.Event.(*Event) 415 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)) 416 }, 417 Field: field, 418 Weight: eval.HandlerWeight, 419 }, nil 420 case "exec.pid": 421 return &eval.IntEvaluator{ 422 EvalFnc: func(ctx *eval.Context) int { 423 ev := ctx.Event.(*Event) 424 return int(ev.Exec.Process.PIDContext.Pid) 425 }, 426 Field: field, 427 Weight: eval.FunctionWeight, 428 }, nil 429 case "exec.ppid": 430 return &eval.IntEvaluator{ 431 EvalFnc: func(ctx *eval.Context) int { 432 ev := ctx.Event.(*Event) 433 return int(ev.Exec.Process.PPid) 434 }, 435 Field: field, 436 Weight: eval.FunctionWeight, 437 }, nil 438 case "exec.user": 439 return &eval.StringEvaluator{ 440 EvalFnc: func(ctx *eval.Context) string { 441 ev := ctx.Event.(*Event) 442 return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process) 443 }, 444 Field: field, 445 Weight: eval.HandlerWeight, 446 }, nil 447 case "exec.user_sid": 448 return &eval.StringEvaluator{ 449 EvalFnc: func(ctx *eval.Context) string { 450 ev := ctx.Event.(*Event) 451 return ev.Exec.Process.OwnerSidString 452 }, 453 Field: field, 454 Weight: eval.FunctionWeight, 455 }, nil 456 case "exit.cause": 457 return &eval.IntEvaluator{ 458 EvalFnc: func(ctx *eval.Context) int { 459 ev := ctx.Event.(*Event) 460 return int(ev.Exit.Cause) 461 }, 462 Field: field, 463 Weight: eval.FunctionWeight, 464 }, nil 465 case "exit.cmdline": 466 return &eval.StringEvaluator{ 467 OpOverrides: eval.CaseInsensitiveCmp, 468 EvalFnc: func(ctx *eval.Context) string { 469 ev := ctx.Event.(*Event) 470 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process) 471 }, 472 Field: field, 473 Weight: 200 * eval.HandlerWeight, 474 }, nil 475 case "exit.code": 476 return &eval.IntEvaluator{ 477 EvalFnc: func(ctx *eval.Context) int { 478 ev := ctx.Event.(*Event) 479 return int(ev.Exit.Code) 480 }, 481 Field: field, 482 Weight: eval.FunctionWeight, 483 }, nil 484 case "exit.container.id": 485 return &eval.StringEvaluator{ 486 EvalFnc: func(ctx *eval.Context) string { 487 ev := ctx.Event.(*Event) 488 return ev.Exit.Process.ContainerID 489 }, 490 Field: field, 491 Weight: eval.FunctionWeight, 492 }, nil 493 case "exit.created_at": 494 return &eval.IntEvaluator{ 495 EvalFnc: func(ctx *eval.Context) int { 496 ev := ctx.Event.(*Event) 497 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)) 498 }, 499 Field: field, 500 Weight: eval.HandlerWeight, 501 }, nil 502 case "exit.envp": 503 return &eval.StringArrayEvaluator{ 504 EvalFnc: func(ctx *eval.Context) []string { 505 ev := ctx.Event.(*Event) 506 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) 507 }, 508 Field: field, 509 Weight: 100 * eval.HandlerWeight, 510 }, nil 511 case "exit.envs": 512 return &eval.StringArrayEvaluator{ 513 EvalFnc: func(ctx *eval.Context) []string { 514 ev := ctx.Event.(*Event) 515 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process) 516 }, 517 Field: field, 518 Weight: 100 * eval.HandlerWeight, 519 }, nil 520 case "exit.file.name": 521 return &eval.StringEvaluator{ 522 OpOverrides: eval.CaseInsensitiveCmp, 523 EvalFnc: func(ctx *eval.Context) string { 524 ev := ctx.Event.(*Event) 525 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent) 526 }, 527 Field: field, 528 Weight: eval.HandlerWeight, 529 }, nil 530 case "exit.file.name.length": 531 return &eval.IntEvaluator{ 532 OpOverrides: eval.CaseInsensitiveCmp, 533 EvalFnc: func(ctx *eval.Context) int { 534 ev := ctx.Event.(*Event) 535 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)) 536 }, 537 Field: field, 538 Weight: eval.HandlerWeight, 539 }, nil 540 case "exit.file.path": 541 return &eval.StringEvaluator{ 542 OpOverrides: eval.WindowsPathCmp, 543 EvalFnc: func(ctx *eval.Context) string { 544 ev := ctx.Event.(*Event) 545 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) 546 }, 547 Field: field, 548 Weight: eval.HandlerWeight, 549 }, nil 550 case "exit.file.path.length": 551 return &eval.IntEvaluator{ 552 OpOverrides: eval.WindowsPathCmp, 553 EvalFnc: func(ctx *eval.Context) int { 554 ev := ctx.Event.(*Event) 555 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)) 556 }, 557 Field: field, 558 Weight: eval.HandlerWeight, 559 }, nil 560 case "exit.pid": 561 return &eval.IntEvaluator{ 562 EvalFnc: func(ctx *eval.Context) int { 563 ev := ctx.Event.(*Event) 564 return int(ev.Exit.Process.PIDContext.Pid) 565 }, 566 Field: field, 567 Weight: eval.FunctionWeight, 568 }, nil 569 case "exit.ppid": 570 return &eval.IntEvaluator{ 571 EvalFnc: func(ctx *eval.Context) int { 572 ev := ctx.Event.(*Event) 573 return int(ev.Exit.Process.PPid) 574 }, 575 Field: field, 576 Weight: eval.FunctionWeight, 577 }, nil 578 case "exit.user": 579 return &eval.StringEvaluator{ 580 EvalFnc: func(ctx *eval.Context) string { 581 ev := ctx.Event.(*Event) 582 return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process) 583 }, 584 Field: field, 585 Weight: eval.HandlerWeight, 586 }, nil 587 case "exit.user_sid": 588 return &eval.StringEvaluator{ 589 EvalFnc: func(ctx *eval.Context) string { 590 ev := ctx.Event.(*Event) 591 return ev.Exit.Process.OwnerSidString 592 }, 593 Field: field, 594 Weight: eval.FunctionWeight, 595 }, nil 596 case "open.registry.key_name": 597 return &eval.StringEvaluator{ 598 EvalFnc: func(ctx *eval.Context) string { 599 ev := ctx.Event.(*Event) 600 return ev.OpenRegistryKey.Registry.KeyName 601 }, 602 Field: field, 603 Weight: eval.FunctionWeight, 604 }, nil 605 case "open.registry.key_name.length": 606 return &eval.IntEvaluator{ 607 EvalFnc: func(ctx *eval.Context) int { 608 ev := ctx.Event.(*Event) 609 return len(ev.OpenRegistryKey.Registry.KeyName) 610 }, 611 Field: field, 612 Weight: eval.FunctionWeight, 613 }, nil 614 case "open.registry.key_path": 615 return &eval.StringEvaluator{ 616 OpOverrides: eval.CaseInsensitiveCmp, 617 EvalFnc: func(ctx *eval.Context) string { 618 ev := ctx.Event.(*Event) 619 return ev.OpenRegistryKey.Registry.KeyPath 620 }, 621 Field: field, 622 Weight: eval.FunctionWeight, 623 }, nil 624 case "open.registry.key_path.length": 625 return &eval.IntEvaluator{ 626 OpOverrides: eval.CaseInsensitiveCmp, 627 EvalFnc: func(ctx *eval.Context) int { 628 ev := ctx.Event.(*Event) 629 return len(ev.OpenRegistryKey.Registry.KeyPath) 630 }, 631 Field: field, 632 Weight: eval.FunctionWeight, 633 }, nil 634 case "open_key.registry.key_name": 635 return &eval.StringEvaluator{ 636 EvalFnc: func(ctx *eval.Context) string { 637 ev := ctx.Event.(*Event) 638 return ev.OpenRegistryKey.Registry.KeyName 639 }, 640 Field: field, 641 Weight: eval.FunctionWeight, 642 }, nil 643 case "open_key.registry.key_name.length": 644 return &eval.IntEvaluator{ 645 EvalFnc: func(ctx *eval.Context) int { 646 ev := ctx.Event.(*Event) 647 return len(ev.OpenRegistryKey.Registry.KeyName) 648 }, 649 Field: field, 650 Weight: eval.FunctionWeight, 651 }, nil 652 case "open_key.registry.key_path": 653 return &eval.StringEvaluator{ 654 OpOverrides: eval.CaseInsensitiveCmp, 655 EvalFnc: func(ctx *eval.Context) string { 656 ev := ctx.Event.(*Event) 657 return ev.OpenRegistryKey.Registry.KeyPath 658 }, 659 Field: field, 660 Weight: eval.FunctionWeight, 661 }, nil 662 case "open_key.registry.key_path.length": 663 return &eval.IntEvaluator{ 664 OpOverrides: eval.CaseInsensitiveCmp, 665 EvalFnc: func(ctx *eval.Context) int { 666 ev := ctx.Event.(*Event) 667 return len(ev.OpenRegistryKey.Registry.KeyPath) 668 }, 669 Field: field, 670 Weight: eval.FunctionWeight, 671 }, nil 672 case "process.ancestors.cmdline": 673 return &eval.StringArrayEvaluator{ 674 OpOverrides: eval.CaseInsensitiveCmp, 675 EvalFnc: func(ctx *eval.Context) []string { 676 ev := ctx.Event.(*Event) 677 if result, ok := ctx.StringCache[field]; ok { 678 return result 679 } 680 var results []string 681 iterator := &ProcessAncestorsIterator{} 682 value := iterator.Front(ctx) 683 for value != nil { 684 element := (*ProcessCacheEntry)(value) 685 result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process) 686 results = append(results, result) 687 value = iterator.Next() 688 } 689 ctx.StringCache[field] = results 690 return results 691 }, Field: field, 692 Weight: 200 * eval.IteratorWeight, 693 }, nil 694 case "process.ancestors.container.id": 695 return &eval.StringArrayEvaluator{ 696 EvalFnc: func(ctx *eval.Context) []string { 697 if result, ok := ctx.StringCache[field]; ok { 698 return result 699 } 700 var results []string 701 iterator := &ProcessAncestorsIterator{} 702 value := iterator.Front(ctx) 703 for value != nil { 704 element := (*ProcessCacheEntry)(value) 705 result := element.ProcessContext.Process.ContainerID 706 results = append(results, result) 707 value = iterator.Next() 708 } 709 ctx.StringCache[field] = results 710 return results 711 }, Field: field, 712 Weight: eval.IteratorWeight, 713 }, nil 714 case "process.ancestors.created_at": 715 return &eval.IntArrayEvaluator{ 716 EvalFnc: func(ctx *eval.Context) []int { 717 ev := ctx.Event.(*Event) 718 if result, ok := ctx.IntCache[field]; ok { 719 return result 720 } 721 var results []int 722 iterator := &ProcessAncestorsIterator{} 723 value := iterator.Front(ctx) 724 for value != nil { 725 element := (*ProcessCacheEntry)(value) 726 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 727 results = append(results, result) 728 value = iterator.Next() 729 } 730 ctx.IntCache[field] = results 731 return results 732 }, Field: field, 733 Weight: eval.IteratorWeight, 734 }, nil 735 case "process.ancestors.envp": 736 return &eval.StringArrayEvaluator{ 737 EvalFnc: func(ctx *eval.Context) []string { 738 ev := ctx.Event.(*Event) 739 if result, ok := ctx.StringCache[field]; ok { 740 return result 741 } 742 var results []string 743 iterator := &ProcessAncestorsIterator{} 744 value := iterator.Front(ctx) 745 for value != nil { 746 element := (*ProcessCacheEntry)(value) 747 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 748 results = append(results, result...) 749 value = iterator.Next() 750 } 751 ctx.StringCache[field] = results 752 return results 753 }, Field: field, 754 Weight: 100 * eval.IteratorWeight, 755 }, nil 756 case "process.ancestors.envs": 757 return &eval.StringArrayEvaluator{ 758 EvalFnc: func(ctx *eval.Context) []string { 759 ev := ctx.Event.(*Event) 760 if result, ok := ctx.StringCache[field]; ok { 761 return result 762 } 763 var results []string 764 iterator := &ProcessAncestorsIterator{} 765 value := iterator.Front(ctx) 766 for value != nil { 767 element := (*ProcessCacheEntry)(value) 768 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 769 results = append(results, result...) 770 value = iterator.Next() 771 } 772 ctx.StringCache[field] = results 773 return results 774 }, Field: field, 775 Weight: 100 * eval.IteratorWeight, 776 }, nil 777 case "process.ancestors.file.name": 778 return &eval.StringArrayEvaluator{ 779 OpOverrides: eval.CaseInsensitiveCmp, 780 EvalFnc: func(ctx *eval.Context) []string { 781 ev := ctx.Event.(*Event) 782 if result, ok := ctx.StringCache[field]; ok { 783 return result 784 } 785 var results []string 786 iterator := &ProcessAncestorsIterator{} 787 value := iterator.Front(ctx) 788 for value != nil { 789 element := (*ProcessCacheEntry)(value) 790 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 791 results = append(results, result) 792 value = iterator.Next() 793 } 794 ctx.StringCache[field] = results 795 return results 796 }, Field: field, 797 Weight: eval.IteratorWeight, 798 }, nil 799 case "process.ancestors.file.name.length": 800 return &eval.IntArrayEvaluator{ 801 OpOverrides: eval.CaseInsensitiveCmp, 802 EvalFnc: func(ctx *eval.Context) []int { 803 ev := ctx.Event.(*Event) 804 if result, ok := ctx.IntCache[field]; ok { 805 return result 806 } 807 var results []int 808 iterator := &ProcessAncestorsIterator{} 809 value := iterator.Front(ctx) 810 for value != nil { 811 element := (*ProcessCacheEntry)(value) 812 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 813 results = append(results, result) 814 value = iterator.Next() 815 } 816 ctx.IntCache[field] = results 817 return results 818 }, Field: field, 819 Weight: eval.IteratorWeight, 820 }, nil 821 case "process.ancestors.file.path": 822 return &eval.StringArrayEvaluator{ 823 OpOverrides: eval.WindowsPathCmp, 824 EvalFnc: func(ctx *eval.Context) []string { 825 ev := ctx.Event.(*Event) 826 if result, ok := ctx.StringCache[field]; ok { 827 return result 828 } 829 var results []string 830 iterator := &ProcessAncestorsIterator{} 831 value := iterator.Front(ctx) 832 for value != nil { 833 element := (*ProcessCacheEntry)(value) 834 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 835 results = append(results, result) 836 value = iterator.Next() 837 } 838 ctx.StringCache[field] = results 839 return results 840 }, Field: field, 841 Weight: eval.IteratorWeight, 842 }, nil 843 case "process.ancestors.file.path.length": 844 return &eval.IntArrayEvaluator{ 845 OpOverrides: eval.WindowsPathCmp, 846 EvalFnc: func(ctx *eval.Context) []int { 847 ev := ctx.Event.(*Event) 848 if result, ok := ctx.IntCache[field]; ok { 849 return result 850 } 851 var results []int 852 iterator := &ProcessAncestorsIterator{} 853 value := iterator.Front(ctx) 854 for value != nil { 855 element := (*ProcessCacheEntry)(value) 856 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 857 results = append(results, result) 858 value = iterator.Next() 859 } 860 ctx.IntCache[field] = results 861 return results 862 }, Field: field, 863 Weight: eval.IteratorWeight, 864 }, nil 865 case "process.ancestors.pid": 866 return &eval.IntArrayEvaluator{ 867 EvalFnc: func(ctx *eval.Context) []int { 868 if result, ok := ctx.IntCache[field]; ok { 869 return result 870 } 871 var results []int 872 iterator := &ProcessAncestorsIterator{} 873 value := iterator.Front(ctx) 874 for value != nil { 875 element := (*ProcessCacheEntry)(value) 876 result := int(element.ProcessContext.Process.PIDContext.Pid) 877 results = append(results, result) 878 value = iterator.Next() 879 } 880 ctx.IntCache[field] = results 881 return results 882 }, Field: field, 883 Weight: eval.IteratorWeight, 884 }, nil 885 case "process.ancestors.ppid": 886 return &eval.IntArrayEvaluator{ 887 EvalFnc: func(ctx *eval.Context) []int { 888 if result, ok := ctx.IntCache[field]; ok { 889 return result 890 } 891 var results []int 892 iterator := &ProcessAncestorsIterator{} 893 value := iterator.Front(ctx) 894 for value != nil { 895 element := (*ProcessCacheEntry)(value) 896 result := int(element.ProcessContext.Process.PPid) 897 results = append(results, result) 898 value = iterator.Next() 899 } 900 ctx.IntCache[field] = results 901 return results 902 }, Field: field, 903 Weight: eval.IteratorWeight, 904 }, nil 905 case "process.ancestors.user": 906 return &eval.StringArrayEvaluator{ 907 EvalFnc: func(ctx *eval.Context) []string { 908 ev := ctx.Event.(*Event) 909 if result, ok := ctx.StringCache[field]; ok { 910 return result 911 } 912 var results []string 913 iterator := &ProcessAncestorsIterator{} 914 value := iterator.Front(ctx) 915 for value != nil { 916 element := (*ProcessCacheEntry)(value) 917 result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process) 918 results = append(results, result) 919 value = iterator.Next() 920 } 921 ctx.StringCache[field] = results 922 return results 923 }, Field: field, 924 Weight: eval.IteratorWeight, 925 }, nil 926 case "process.ancestors.user_sid": 927 return &eval.StringArrayEvaluator{ 928 EvalFnc: func(ctx *eval.Context) []string { 929 if result, ok := ctx.StringCache[field]; ok { 930 return result 931 } 932 var results []string 933 iterator := &ProcessAncestorsIterator{} 934 value := iterator.Front(ctx) 935 for value != nil { 936 element := (*ProcessCacheEntry)(value) 937 result := element.ProcessContext.Process.OwnerSidString 938 results = append(results, result) 939 value = iterator.Next() 940 } 941 ctx.StringCache[field] = results 942 return results 943 }, Field: field, 944 Weight: eval.IteratorWeight, 945 }, nil 946 case "process.cmdline": 947 return &eval.StringEvaluator{ 948 OpOverrides: eval.CaseInsensitiveCmp, 949 EvalFnc: func(ctx *eval.Context) string { 950 ev := ctx.Event.(*Event) 951 return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process) 952 }, 953 Field: field, 954 Weight: 200 * eval.HandlerWeight, 955 }, nil 956 case "process.container.id": 957 return &eval.StringEvaluator{ 958 EvalFnc: func(ctx *eval.Context) string { 959 ev := ctx.Event.(*Event) 960 return ev.BaseEvent.ProcessContext.Process.ContainerID 961 }, 962 Field: field, 963 Weight: eval.FunctionWeight, 964 }, nil 965 case "process.created_at": 966 return &eval.IntEvaluator{ 967 EvalFnc: func(ctx *eval.Context) int { 968 ev := ctx.Event.(*Event) 969 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)) 970 }, 971 Field: field, 972 Weight: eval.HandlerWeight, 973 }, nil 974 case "process.envp": 975 return &eval.StringArrayEvaluator{ 976 EvalFnc: func(ctx *eval.Context) []string { 977 ev := ctx.Event.(*Event) 978 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) 979 }, 980 Field: field, 981 Weight: 100 * eval.HandlerWeight, 982 }, nil 983 case "process.envs": 984 return &eval.StringArrayEvaluator{ 985 EvalFnc: func(ctx *eval.Context) []string { 986 ev := ctx.Event.(*Event) 987 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process) 988 }, 989 Field: field, 990 Weight: 100 * eval.HandlerWeight, 991 }, nil 992 case "process.file.name": 993 return &eval.StringEvaluator{ 994 OpOverrides: eval.CaseInsensitiveCmp, 995 EvalFnc: func(ctx *eval.Context) string { 996 ev := ctx.Event.(*Event) 997 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 998 }, 999 Field: field, 1000 Weight: eval.HandlerWeight, 1001 }, nil 1002 case "process.file.name.length": 1003 return &eval.IntEvaluator{ 1004 OpOverrides: eval.CaseInsensitiveCmp, 1005 EvalFnc: func(ctx *eval.Context) int { 1006 ev := ctx.Event.(*Event) 1007 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) 1008 }, 1009 Field: field, 1010 Weight: eval.HandlerWeight, 1011 }, nil 1012 case "process.file.path": 1013 return &eval.StringEvaluator{ 1014 OpOverrides: eval.WindowsPathCmp, 1015 EvalFnc: func(ctx *eval.Context) string { 1016 ev := ctx.Event.(*Event) 1017 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 1018 }, 1019 Field: field, 1020 Weight: eval.HandlerWeight, 1021 }, nil 1022 case "process.file.path.length": 1023 return &eval.IntEvaluator{ 1024 OpOverrides: eval.WindowsPathCmp, 1025 EvalFnc: func(ctx *eval.Context) int { 1026 ev := ctx.Event.(*Event) 1027 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) 1028 }, 1029 Field: field, 1030 Weight: eval.HandlerWeight, 1031 }, nil 1032 case "process.parent.cmdline": 1033 return &eval.StringEvaluator{ 1034 OpOverrides: eval.CaseInsensitiveCmp, 1035 EvalFnc: func(ctx *eval.Context) string { 1036 ev := ctx.Event.(*Event) 1037 if !ev.BaseEvent.ProcessContext.HasParent() { 1038 return "" 1039 } 1040 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent) 1041 }, 1042 Field: field, 1043 Weight: 200 * eval.HandlerWeight, 1044 }, nil 1045 case "process.parent.container.id": 1046 return &eval.StringEvaluator{ 1047 EvalFnc: func(ctx *eval.Context) string { 1048 ev := ctx.Event.(*Event) 1049 if !ev.BaseEvent.ProcessContext.HasParent() { 1050 return "" 1051 } 1052 return ev.BaseEvent.ProcessContext.Parent.ContainerID 1053 }, 1054 Field: field, 1055 Weight: eval.FunctionWeight, 1056 }, nil 1057 case "process.parent.created_at": 1058 return &eval.IntEvaluator{ 1059 EvalFnc: func(ctx *eval.Context) int { 1060 ev := ctx.Event.(*Event) 1061 if !ev.BaseEvent.ProcessContext.HasParent() { 1062 return 0 1063 } 1064 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)) 1065 }, 1066 Field: field, 1067 Weight: eval.HandlerWeight, 1068 }, nil 1069 case "process.parent.envp": 1070 return &eval.StringArrayEvaluator{ 1071 EvalFnc: func(ctx *eval.Context) []string { 1072 ev := ctx.Event.(*Event) 1073 if !ev.BaseEvent.ProcessContext.HasParent() { 1074 return []string{} 1075 } 1076 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) 1077 }, 1078 Field: field, 1079 Weight: 100 * eval.HandlerWeight, 1080 }, nil 1081 case "process.parent.envs": 1082 return &eval.StringArrayEvaluator{ 1083 EvalFnc: func(ctx *eval.Context) []string { 1084 ev := ctx.Event.(*Event) 1085 if !ev.BaseEvent.ProcessContext.HasParent() { 1086 return []string{} 1087 } 1088 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent) 1089 }, 1090 Field: field, 1091 Weight: 100 * eval.HandlerWeight, 1092 }, nil 1093 case "process.parent.file.name": 1094 return &eval.StringEvaluator{ 1095 OpOverrides: eval.CaseInsensitiveCmp, 1096 EvalFnc: func(ctx *eval.Context) string { 1097 ev := ctx.Event.(*Event) 1098 if !ev.BaseEvent.ProcessContext.HasParent() { 1099 return "" 1100 } 1101 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 1102 }, 1103 Field: field, 1104 Weight: eval.HandlerWeight, 1105 }, nil 1106 case "process.parent.file.name.length": 1107 return &eval.IntEvaluator{ 1108 OpOverrides: eval.CaseInsensitiveCmp, 1109 EvalFnc: func(ctx *eval.Context) int { 1110 ev := ctx.Event.(*Event) 1111 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) 1112 }, 1113 Field: field, 1114 Weight: eval.HandlerWeight, 1115 }, nil 1116 case "process.parent.file.path": 1117 return &eval.StringEvaluator{ 1118 OpOverrides: eval.WindowsPathCmp, 1119 EvalFnc: func(ctx *eval.Context) string { 1120 ev := ctx.Event.(*Event) 1121 if !ev.BaseEvent.ProcessContext.HasParent() { 1122 return "" 1123 } 1124 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 1125 }, 1126 Field: field, 1127 Weight: eval.HandlerWeight, 1128 }, nil 1129 case "process.parent.file.path.length": 1130 return &eval.IntEvaluator{ 1131 OpOverrides: eval.WindowsPathCmp, 1132 EvalFnc: func(ctx *eval.Context) int { 1133 ev := ctx.Event.(*Event) 1134 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) 1135 }, 1136 Field: field, 1137 Weight: eval.HandlerWeight, 1138 }, nil 1139 case "process.parent.pid": 1140 return &eval.IntEvaluator{ 1141 EvalFnc: func(ctx *eval.Context) int { 1142 ev := ctx.Event.(*Event) 1143 if !ev.BaseEvent.ProcessContext.HasParent() { 1144 return 0 1145 } 1146 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid) 1147 }, 1148 Field: field, 1149 Weight: eval.FunctionWeight, 1150 }, nil 1151 case "process.parent.ppid": 1152 return &eval.IntEvaluator{ 1153 EvalFnc: func(ctx *eval.Context) int { 1154 ev := ctx.Event.(*Event) 1155 if !ev.BaseEvent.ProcessContext.HasParent() { 1156 return 0 1157 } 1158 return int(ev.BaseEvent.ProcessContext.Parent.PPid) 1159 }, 1160 Field: field, 1161 Weight: eval.FunctionWeight, 1162 }, nil 1163 case "process.parent.user": 1164 return &eval.StringEvaluator{ 1165 EvalFnc: func(ctx *eval.Context) string { 1166 ev := ctx.Event.(*Event) 1167 if !ev.BaseEvent.ProcessContext.HasParent() { 1168 return "" 1169 } 1170 return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent) 1171 }, 1172 Field: field, 1173 Weight: eval.HandlerWeight, 1174 }, nil 1175 case "process.parent.user_sid": 1176 return &eval.StringEvaluator{ 1177 EvalFnc: func(ctx *eval.Context) string { 1178 ev := ctx.Event.(*Event) 1179 if !ev.BaseEvent.ProcessContext.HasParent() { 1180 return "" 1181 } 1182 return ev.BaseEvent.ProcessContext.Parent.OwnerSidString 1183 }, 1184 Field: field, 1185 Weight: eval.FunctionWeight, 1186 }, nil 1187 case "process.pid": 1188 return &eval.IntEvaluator{ 1189 EvalFnc: func(ctx *eval.Context) int { 1190 ev := ctx.Event.(*Event) 1191 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid) 1192 }, 1193 Field: field, 1194 Weight: eval.FunctionWeight, 1195 }, nil 1196 case "process.ppid": 1197 return &eval.IntEvaluator{ 1198 EvalFnc: func(ctx *eval.Context) int { 1199 ev := ctx.Event.(*Event) 1200 return int(ev.BaseEvent.ProcessContext.Process.PPid) 1201 }, 1202 Field: field, 1203 Weight: eval.FunctionWeight, 1204 }, nil 1205 case "process.user": 1206 return &eval.StringEvaluator{ 1207 EvalFnc: func(ctx *eval.Context) string { 1208 ev := ctx.Event.(*Event) 1209 return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process) 1210 }, 1211 Field: field, 1212 Weight: eval.HandlerWeight, 1213 }, nil 1214 case "process.user_sid": 1215 return &eval.StringEvaluator{ 1216 EvalFnc: func(ctx *eval.Context) string { 1217 ev := ctx.Event.(*Event) 1218 return ev.BaseEvent.ProcessContext.Process.OwnerSidString 1219 }, 1220 Field: field, 1221 Weight: eval.FunctionWeight, 1222 }, nil 1223 case "rename.file.destination.device_path": 1224 return &eval.StringEvaluator{ 1225 OpOverrides: eval.WindowsPathCmp, 1226 EvalFnc: func(ctx *eval.Context) string { 1227 ev := ctx.Event.(*Event) 1228 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New) 1229 }, 1230 Field: field, 1231 Weight: eval.HandlerWeight, 1232 }, nil 1233 case "rename.file.destination.device_path.length": 1234 return &eval.IntEvaluator{ 1235 OpOverrides: eval.WindowsPathCmp, 1236 EvalFnc: func(ctx *eval.Context) int { 1237 ev := ctx.Event.(*Event) 1238 return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New)) 1239 }, 1240 Field: field, 1241 Weight: eval.HandlerWeight, 1242 }, nil 1243 case "rename.file.destination.name": 1244 return &eval.StringEvaluator{ 1245 OpOverrides: eval.CaseInsensitiveCmp, 1246 EvalFnc: func(ctx *eval.Context) string { 1247 ev := ctx.Event.(*Event) 1248 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New) 1249 }, 1250 Field: field, 1251 Weight: eval.HandlerWeight, 1252 }, nil 1253 case "rename.file.destination.name.length": 1254 return &eval.IntEvaluator{ 1255 OpOverrides: eval.CaseInsensitiveCmp, 1256 EvalFnc: func(ctx *eval.Context) int { 1257 ev := ctx.Event.(*Event) 1258 return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New)) 1259 }, 1260 Field: field, 1261 Weight: eval.HandlerWeight, 1262 }, nil 1263 case "rename.file.device_path": 1264 return &eval.StringEvaluator{ 1265 OpOverrides: eval.WindowsPathCmp, 1266 EvalFnc: func(ctx *eval.Context) string { 1267 ev := ctx.Event.(*Event) 1268 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old) 1269 }, 1270 Field: field, 1271 Weight: eval.HandlerWeight, 1272 }, nil 1273 case "rename.file.device_path.length": 1274 return &eval.IntEvaluator{ 1275 OpOverrides: eval.WindowsPathCmp, 1276 EvalFnc: func(ctx *eval.Context) int { 1277 ev := ctx.Event.(*Event) 1278 return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old)) 1279 }, 1280 Field: field, 1281 Weight: eval.HandlerWeight, 1282 }, nil 1283 case "rename.file.name": 1284 return &eval.StringEvaluator{ 1285 OpOverrides: eval.CaseInsensitiveCmp, 1286 EvalFnc: func(ctx *eval.Context) string { 1287 ev := ctx.Event.(*Event) 1288 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old) 1289 }, 1290 Field: field, 1291 Weight: eval.HandlerWeight, 1292 }, nil 1293 case "rename.file.name.length": 1294 return &eval.IntEvaluator{ 1295 OpOverrides: eval.CaseInsensitiveCmp, 1296 EvalFnc: func(ctx *eval.Context) int { 1297 ev := ctx.Event.(*Event) 1298 return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old)) 1299 }, 1300 Field: field, 1301 Weight: eval.HandlerWeight, 1302 }, nil 1303 case "set.registry.key_name": 1304 return &eval.StringEvaluator{ 1305 EvalFnc: func(ctx *eval.Context) string { 1306 ev := ctx.Event.(*Event) 1307 return ev.SetRegistryKeyValue.Registry.KeyName 1308 }, 1309 Field: field, 1310 Weight: eval.FunctionWeight, 1311 }, nil 1312 case "set.registry.key_name.length": 1313 return &eval.IntEvaluator{ 1314 EvalFnc: func(ctx *eval.Context) int { 1315 ev := ctx.Event.(*Event) 1316 return len(ev.SetRegistryKeyValue.Registry.KeyName) 1317 }, 1318 Field: field, 1319 Weight: eval.FunctionWeight, 1320 }, nil 1321 case "set.registry.key_path": 1322 return &eval.StringEvaluator{ 1323 OpOverrides: eval.CaseInsensitiveCmp, 1324 EvalFnc: func(ctx *eval.Context) string { 1325 ev := ctx.Event.(*Event) 1326 return ev.SetRegistryKeyValue.Registry.KeyPath 1327 }, 1328 Field: field, 1329 Weight: eval.FunctionWeight, 1330 }, nil 1331 case "set.registry.key_path.length": 1332 return &eval.IntEvaluator{ 1333 OpOverrides: eval.CaseInsensitiveCmp, 1334 EvalFnc: func(ctx *eval.Context) int { 1335 ev := ctx.Event.(*Event) 1336 return len(ev.SetRegistryKeyValue.Registry.KeyPath) 1337 }, 1338 Field: field, 1339 Weight: eval.FunctionWeight, 1340 }, nil 1341 case "set.registry.value_name": 1342 return &eval.StringEvaluator{ 1343 EvalFnc: func(ctx *eval.Context) string { 1344 ev := ctx.Event.(*Event) 1345 return ev.SetRegistryKeyValue.ValueName 1346 }, 1347 Field: field, 1348 Weight: eval.FunctionWeight, 1349 }, nil 1350 case "set.registry.value_name.length": 1351 return &eval.IntEvaluator{ 1352 EvalFnc: func(ctx *eval.Context) int { 1353 ev := ctx.Event.(*Event) 1354 return len(ev.SetRegistryKeyValue.ValueName) 1355 }, 1356 Field: field, 1357 Weight: eval.FunctionWeight, 1358 }, nil 1359 case "set.value_name": 1360 return &eval.StringEvaluator{ 1361 EvalFnc: func(ctx *eval.Context) string { 1362 ev := ctx.Event.(*Event) 1363 return ev.SetRegistryKeyValue.ValueName 1364 }, 1365 Field: field, 1366 Weight: eval.FunctionWeight, 1367 }, nil 1368 case "set_key_value.registry.key_name": 1369 return &eval.StringEvaluator{ 1370 EvalFnc: func(ctx *eval.Context) string { 1371 ev := ctx.Event.(*Event) 1372 return ev.SetRegistryKeyValue.Registry.KeyName 1373 }, 1374 Field: field, 1375 Weight: eval.FunctionWeight, 1376 }, nil 1377 case "set_key_value.registry.key_name.length": 1378 return &eval.IntEvaluator{ 1379 EvalFnc: func(ctx *eval.Context) int { 1380 ev := ctx.Event.(*Event) 1381 return len(ev.SetRegistryKeyValue.Registry.KeyName) 1382 }, 1383 Field: field, 1384 Weight: eval.FunctionWeight, 1385 }, nil 1386 case "set_key_value.registry.key_path": 1387 return &eval.StringEvaluator{ 1388 OpOverrides: eval.CaseInsensitiveCmp, 1389 EvalFnc: func(ctx *eval.Context) string { 1390 ev := ctx.Event.(*Event) 1391 return ev.SetRegistryKeyValue.Registry.KeyPath 1392 }, 1393 Field: field, 1394 Weight: eval.FunctionWeight, 1395 }, nil 1396 case "set_key_value.registry.key_path.length": 1397 return &eval.IntEvaluator{ 1398 OpOverrides: eval.CaseInsensitiveCmp, 1399 EvalFnc: func(ctx *eval.Context) int { 1400 ev := ctx.Event.(*Event) 1401 return len(ev.SetRegistryKeyValue.Registry.KeyPath) 1402 }, 1403 Field: field, 1404 Weight: eval.FunctionWeight, 1405 }, nil 1406 case "set_key_value.registry.value_name": 1407 return &eval.StringEvaluator{ 1408 EvalFnc: func(ctx *eval.Context) string { 1409 ev := ctx.Event.(*Event) 1410 return ev.SetRegistryKeyValue.ValueName 1411 }, 1412 Field: field, 1413 Weight: eval.FunctionWeight, 1414 }, nil 1415 case "set_key_value.registry.value_name.length": 1416 return &eval.IntEvaluator{ 1417 EvalFnc: func(ctx *eval.Context) int { 1418 ev := ctx.Event.(*Event) 1419 return len(ev.SetRegistryKeyValue.ValueName) 1420 }, 1421 Field: field, 1422 Weight: eval.FunctionWeight, 1423 }, nil 1424 case "set_key_value.value_name": 1425 return &eval.StringEvaluator{ 1426 EvalFnc: func(ctx *eval.Context) string { 1427 ev := ctx.Event.(*Event) 1428 return ev.SetRegistryKeyValue.ValueName 1429 }, 1430 Field: field, 1431 Weight: eval.FunctionWeight, 1432 }, nil 1433 case "write.file.device_path": 1434 return &eval.StringEvaluator{ 1435 OpOverrides: eval.WindowsPathCmp, 1436 EvalFnc: func(ctx *eval.Context) string { 1437 ev := ctx.Event.(*Event) 1438 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File) 1439 }, 1440 Field: field, 1441 Weight: eval.HandlerWeight, 1442 }, nil 1443 case "write.file.device_path.length": 1444 return &eval.IntEvaluator{ 1445 OpOverrides: eval.WindowsPathCmp, 1446 EvalFnc: func(ctx *eval.Context) int { 1447 ev := ctx.Event.(*Event) 1448 return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File)) 1449 }, 1450 Field: field, 1451 Weight: eval.HandlerWeight, 1452 }, nil 1453 case "write.file.name": 1454 return &eval.StringEvaluator{ 1455 OpOverrides: eval.CaseInsensitiveCmp, 1456 EvalFnc: func(ctx *eval.Context) string { 1457 ev := ctx.Event.(*Event) 1458 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File) 1459 }, 1460 Field: field, 1461 Weight: eval.HandlerWeight, 1462 }, nil 1463 case "write.file.name.length": 1464 return &eval.IntEvaluator{ 1465 OpOverrides: eval.CaseInsensitiveCmp, 1466 EvalFnc: func(ctx *eval.Context) int { 1467 ev := ctx.Event.(*Event) 1468 return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File)) 1469 }, 1470 Field: field, 1471 Weight: eval.HandlerWeight, 1472 }, nil 1473 } 1474 return nil, &eval.ErrFieldNotFound{Field: field} 1475 } 1476 func (ev *Event) GetFields() []eval.Field { 1477 return []eval.Field{ 1478 "container.created_at", 1479 "container.id", 1480 "container.tags", 1481 "create.file.device_path", 1482 "create.file.device_path.length", 1483 "create.file.name", 1484 "create.file.name.length", 1485 "create.registry.key_name", 1486 "create.registry.key_name.length", 1487 "create.registry.key_path", 1488 "create.registry.key_path.length", 1489 "create_key.registry.key_name", 1490 "create_key.registry.key_name.length", 1491 "create_key.registry.key_path", 1492 "create_key.registry.key_path.length", 1493 "delete.file.device_path", 1494 "delete.file.device_path.length", 1495 "delete.file.name", 1496 "delete.file.name.length", 1497 "delete.registry.key_name", 1498 "delete.registry.key_name.length", 1499 "delete.registry.key_path", 1500 "delete.registry.key_path.length", 1501 "delete_key.registry.key_name", 1502 "delete_key.registry.key_name.length", 1503 "delete_key.registry.key_path", 1504 "delete_key.registry.key_path.length", 1505 "event.origin", 1506 "event.os", 1507 "event.service", 1508 "event.timestamp", 1509 "exec.cmdline", 1510 "exec.container.id", 1511 "exec.created_at", 1512 "exec.envp", 1513 "exec.envs", 1514 "exec.file.name", 1515 "exec.file.name.length", 1516 "exec.file.path", 1517 "exec.file.path.length", 1518 "exec.pid", 1519 "exec.ppid", 1520 "exec.user", 1521 "exec.user_sid", 1522 "exit.cause", 1523 "exit.cmdline", 1524 "exit.code", 1525 "exit.container.id", 1526 "exit.created_at", 1527 "exit.envp", 1528 "exit.envs", 1529 "exit.file.name", 1530 "exit.file.name.length", 1531 "exit.file.path", 1532 "exit.file.path.length", 1533 "exit.pid", 1534 "exit.ppid", 1535 "exit.user", 1536 "exit.user_sid", 1537 "open.registry.key_name", 1538 "open.registry.key_name.length", 1539 "open.registry.key_path", 1540 "open.registry.key_path.length", 1541 "open_key.registry.key_name", 1542 "open_key.registry.key_name.length", 1543 "open_key.registry.key_path", 1544 "open_key.registry.key_path.length", 1545 "process.ancestors.cmdline", 1546 "process.ancestors.container.id", 1547 "process.ancestors.created_at", 1548 "process.ancestors.envp", 1549 "process.ancestors.envs", 1550 "process.ancestors.file.name", 1551 "process.ancestors.file.name.length", 1552 "process.ancestors.file.path", 1553 "process.ancestors.file.path.length", 1554 "process.ancestors.pid", 1555 "process.ancestors.ppid", 1556 "process.ancestors.user", 1557 "process.ancestors.user_sid", 1558 "process.cmdline", 1559 "process.container.id", 1560 "process.created_at", 1561 "process.envp", 1562 "process.envs", 1563 "process.file.name", 1564 "process.file.name.length", 1565 "process.file.path", 1566 "process.file.path.length", 1567 "process.parent.cmdline", 1568 "process.parent.container.id", 1569 "process.parent.created_at", 1570 "process.parent.envp", 1571 "process.parent.envs", 1572 "process.parent.file.name", 1573 "process.parent.file.name.length", 1574 "process.parent.file.path", 1575 "process.parent.file.path.length", 1576 "process.parent.pid", 1577 "process.parent.ppid", 1578 "process.parent.user", 1579 "process.parent.user_sid", 1580 "process.pid", 1581 "process.ppid", 1582 "process.user", 1583 "process.user_sid", 1584 "rename.file.destination.device_path", 1585 "rename.file.destination.device_path.length", 1586 "rename.file.destination.name", 1587 "rename.file.destination.name.length", 1588 "rename.file.device_path", 1589 "rename.file.device_path.length", 1590 "rename.file.name", 1591 "rename.file.name.length", 1592 "set.registry.key_name", 1593 "set.registry.key_name.length", 1594 "set.registry.key_path", 1595 "set.registry.key_path.length", 1596 "set.registry.value_name", 1597 "set.registry.value_name.length", 1598 "set.value_name", 1599 "set_key_value.registry.key_name", 1600 "set_key_value.registry.key_name.length", 1601 "set_key_value.registry.key_path", 1602 "set_key_value.registry.key_path.length", 1603 "set_key_value.registry.value_name", 1604 "set_key_value.registry.value_name.length", 1605 "set_key_value.value_name", 1606 "write.file.device_path", 1607 "write.file.device_path.length", 1608 "write.file.name", 1609 "write.file.name.length", 1610 } 1611 } 1612 func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { 1613 switch field { 1614 case "container.created_at": 1615 return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)), nil 1616 case "container.id": 1617 return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext), nil 1618 case "container.tags": 1619 return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext), nil 1620 case "create.file.device_path": 1621 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil 1622 case "create.file.device_path.length": 1623 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil 1624 case "create.file.name": 1625 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil 1626 case "create.file.name.length": 1627 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil 1628 case "create.registry.key_name": 1629 return ev.CreateRegistryKey.Registry.KeyName, nil 1630 case "create.registry.key_name.length": 1631 return len(ev.CreateRegistryKey.Registry.KeyName), nil 1632 case "create.registry.key_path": 1633 return ev.CreateRegistryKey.Registry.KeyPath, nil 1634 case "create.registry.key_path.length": 1635 return len(ev.CreateRegistryKey.Registry.KeyPath), nil 1636 case "create_key.registry.key_name": 1637 return ev.CreateRegistryKey.Registry.KeyName, nil 1638 case "create_key.registry.key_name.length": 1639 return len(ev.CreateRegistryKey.Registry.KeyName), nil 1640 case "create_key.registry.key_path": 1641 return ev.CreateRegistryKey.Registry.KeyPath, nil 1642 case "create_key.registry.key_path.length": 1643 return len(ev.CreateRegistryKey.Registry.KeyPath), nil 1644 case "delete.file.device_path": 1645 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil 1646 case "delete.file.device_path.length": 1647 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil 1648 case "delete.file.name": 1649 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil 1650 case "delete.file.name.length": 1651 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil 1652 case "delete.registry.key_name": 1653 return ev.DeleteRegistryKey.Registry.KeyName, nil 1654 case "delete.registry.key_name.length": 1655 return len(ev.DeleteRegistryKey.Registry.KeyName), nil 1656 case "delete.registry.key_path": 1657 return ev.DeleteRegistryKey.Registry.KeyPath, nil 1658 case "delete.registry.key_path.length": 1659 return len(ev.DeleteRegistryKey.Registry.KeyPath), nil 1660 case "delete_key.registry.key_name": 1661 return ev.DeleteRegistryKey.Registry.KeyName, nil 1662 case "delete_key.registry.key_name.length": 1663 return len(ev.DeleteRegistryKey.Registry.KeyName), nil 1664 case "delete_key.registry.key_path": 1665 return ev.DeleteRegistryKey.Registry.KeyPath, nil 1666 case "delete_key.registry.key_path.length": 1667 return len(ev.DeleteRegistryKey.Registry.KeyPath), nil 1668 case "event.origin": 1669 return ev.BaseEvent.Origin, nil 1670 case "event.os": 1671 return ev.BaseEvent.Os, nil 1672 case "event.service": 1673 return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent), nil 1674 case "event.timestamp": 1675 return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil 1676 case "exec.cmdline": 1677 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process), nil 1678 case "exec.container.id": 1679 return ev.Exec.Process.ContainerID, nil 1680 case "exec.created_at": 1681 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)), nil 1682 case "exec.envp": 1683 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process), nil 1684 case "exec.envs": 1685 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process), nil 1686 case "exec.file.name": 1687 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil 1688 case "exec.file.name.length": 1689 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil 1690 case "exec.file.path": 1691 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil 1692 case "exec.file.path.length": 1693 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil 1694 case "exec.pid": 1695 return int(ev.Exec.Process.PIDContext.Pid), nil 1696 case "exec.ppid": 1697 return int(ev.Exec.Process.PPid), nil 1698 case "exec.user": 1699 return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process), nil 1700 case "exec.user_sid": 1701 return ev.Exec.Process.OwnerSidString, nil 1702 case "exit.cause": 1703 return int(ev.Exit.Cause), nil 1704 case "exit.cmdline": 1705 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process), nil 1706 case "exit.code": 1707 return int(ev.Exit.Code), nil 1708 case "exit.container.id": 1709 return ev.Exit.Process.ContainerID, nil 1710 case "exit.created_at": 1711 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)), nil 1712 case "exit.envp": 1713 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process), nil 1714 case "exit.envs": 1715 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process), nil 1716 case "exit.file.name": 1717 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil 1718 case "exit.file.name.length": 1719 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil 1720 case "exit.file.path": 1721 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil 1722 case "exit.file.path.length": 1723 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil 1724 case "exit.pid": 1725 return int(ev.Exit.Process.PIDContext.Pid), nil 1726 case "exit.ppid": 1727 return int(ev.Exit.Process.PPid), nil 1728 case "exit.user": 1729 return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process), nil 1730 case "exit.user_sid": 1731 return ev.Exit.Process.OwnerSidString, nil 1732 case "open.registry.key_name": 1733 return ev.OpenRegistryKey.Registry.KeyName, nil 1734 case "open.registry.key_name.length": 1735 return len(ev.OpenRegistryKey.Registry.KeyName), nil 1736 case "open.registry.key_path": 1737 return ev.OpenRegistryKey.Registry.KeyPath, nil 1738 case "open.registry.key_path.length": 1739 return len(ev.OpenRegistryKey.Registry.KeyPath), nil 1740 case "open_key.registry.key_name": 1741 return ev.OpenRegistryKey.Registry.KeyName, nil 1742 case "open_key.registry.key_name.length": 1743 return len(ev.OpenRegistryKey.Registry.KeyName), nil 1744 case "open_key.registry.key_path": 1745 return ev.OpenRegistryKey.Registry.KeyPath, nil 1746 case "open_key.registry.key_path.length": 1747 return len(ev.OpenRegistryKey.Registry.KeyPath), nil 1748 case "process.ancestors.cmdline": 1749 var values []string 1750 ctx := eval.NewContext(ev) 1751 iterator := &ProcessAncestorsIterator{} 1752 ptr := iterator.Front(ctx) 1753 for ptr != nil { 1754 element := (*ProcessCacheEntry)(ptr) 1755 result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process) 1756 values = append(values, result) 1757 ptr = iterator.Next() 1758 } 1759 return values, nil 1760 case "process.ancestors.container.id": 1761 var values []string 1762 ctx := eval.NewContext(ev) 1763 iterator := &ProcessAncestorsIterator{} 1764 ptr := iterator.Front(ctx) 1765 for ptr != nil { 1766 element := (*ProcessCacheEntry)(ptr) 1767 result := element.ProcessContext.Process.ContainerID 1768 values = append(values, result) 1769 ptr = iterator.Next() 1770 } 1771 return values, nil 1772 case "process.ancestors.created_at": 1773 var values []int 1774 ctx := eval.NewContext(ev) 1775 iterator := &ProcessAncestorsIterator{} 1776 ptr := iterator.Front(ctx) 1777 for ptr != nil { 1778 element := (*ProcessCacheEntry)(ptr) 1779 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 1780 values = append(values, result) 1781 ptr = iterator.Next() 1782 } 1783 return values, nil 1784 case "process.ancestors.envp": 1785 var values []string 1786 ctx := eval.NewContext(ev) 1787 iterator := &ProcessAncestorsIterator{} 1788 ptr := iterator.Front(ctx) 1789 for ptr != nil { 1790 element := (*ProcessCacheEntry)(ptr) 1791 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 1792 values = append(values, result...) 1793 ptr = iterator.Next() 1794 } 1795 return values, nil 1796 case "process.ancestors.envs": 1797 var values []string 1798 ctx := eval.NewContext(ev) 1799 iterator := &ProcessAncestorsIterator{} 1800 ptr := iterator.Front(ctx) 1801 for ptr != nil { 1802 element := (*ProcessCacheEntry)(ptr) 1803 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 1804 values = append(values, result...) 1805 ptr = iterator.Next() 1806 } 1807 return values, nil 1808 case "process.ancestors.file.name": 1809 var values []string 1810 ctx := eval.NewContext(ev) 1811 iterator := &ProcessAncestorsIterator{} 1812 ptr := iterator.Front(ctx) 1813 for ptr != nil { 1814 element := (*ProcessCacheEntry)(ptr) 1815 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 1816 values = append(values, result) 1817 ptr = iterator.Next() 1818 } 1819 return values, nil 1820 case "process.ancestors.file.name.length": 1821 var values []int 1822 ctx := eval.NewContext(ev) 1823 iterator := &ProcessAncestorsIterator{} 1824 ptr := iterator.Front(ctx) 1825 for ptr != nil { 1826 element := (*ProcessCacheEntry)(ptr) 1827 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 1828 values = append(values, result) 1829 ptr = iterator.Next() 1830 } 1831 return values, nil 1832 case "process.ancestors.file.path": 1833 var values []string 1834 ctx := eval.NewContext(ev) 1835 iterator := &ProcessAncestorsIterator{} 1836 ptr := iterator.Front(ctx) 1837 for ptr != nil { 1838 element := (*ProcessCacheEntry)(ptr) 1839 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 1840 values = append(values, result) 1841 ptr = iterator.Next() 1842 } 1843 return values, nil 1844 case "process.ancestors.file.path.length": 1845 var values []int 1846 ctx := eval.NewContext(ev) 1847 iterator := &ProcessAncestorsIterator{} 1848 ptr := iterator.Front(ctx) 1849 for ptr != nil { 1850 element := (*ProcessCacheEntry)(ptr) 1851 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 1852 values = append(values, result) 1853 ptr = iterator.Next() 1854 } 1855 return values, nil 1856 case "process.ancestors.pid": 1857 var values []int 1858 ctx := eval.NewContext(ev) 1859 iterator := &ProcessAncestorsIterator{} 1860 ptr := iterator.Front(ctx) 1861 for ptr != nil { 1862 element := (*ProcessCacheEntry)(ptr) 1863 result := int(element.ProcessContext.Process.PIDContext.Pid) 1864 values = append(values, result) 1865 ptr = iterator.Next() 1866 } 1867 return values, nil 1868 case "process.ancestors.ppid": 1869 var values []int 1870 ctx := eval.NewContext(ev) 1871 iterator := &ProcessAncestorsIterator{} 1872 ptr := iterator.Front(ctx) 1873 for ptr != nil { 1874 element := (*ProcessCacheEntry)(ptr) 1875 result := int(element.ProcessContext.Process.PPid) 1876 values = append(values, result) 1877 ptr = iterator.Next() 1878 } 1879 return values, nil 1880 case "process.ancestors.user": 1881 var values []string 1882 ctx := eval.NewContext(ev) 1883 iterator := &ProcessAncestorsIterator{} 1884 ptr := iterator.Front(ctx) 1885 for ptr != nil { 1886 element := (*ProcessCacheEntry)(ptr) 1887 result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process) 1888 values = append(values, result) 1889 ptr = iterator.Next() 1890 } 1891 return values, nil 1892 case "process.ancestors.user_sid": 1893 var values []string 1894 ctx := eval.NewContext(ev) 1895 iterator := &ProcessAncestorsIterator{} 1896 ptr := iterator.Front(ctx) 1897 for ptr != nil { 1898 element := (*ProcessCacheEntry)(ptr) 1899 result := element.ProcessContext.Process.OwnerSidString 1900 values = append(values, result) 1901 ptr = iterator.Next() 1902 } 1903 return values, nil 1904 case "process.cmdline": 1905 return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process), nil 1906 case "process.container.id": 1907 return ev.BaseEvent.ProcessContext.Process.ContainerID, nil 1908 case "process.created_at": 1909 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)), nil 1910 case "process.envp": 1911 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process), nil 1912 case "process.envs": 1913 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process), nil 1914 case "process.file.name": 1915 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 1916 case "process.file.name.length": 1917 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 1918 case "process.file.path": 1919 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 1920 case "process.file.path.length": 1921 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 1922 case "process.parent.cmdline": 1923 if !ev.BaseEvent.ProcessContext.HasParent() { 1924 return "", &eval.ErrNotSupported{Field: field} 1925 } 1926 return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent), nil 1927 case "process.parent.container.id": 1928 if !ev.BaseEvent.ProcessContext.HasParent() { 1929 return "", &eval.ErrNotSupported{Field: field} 1930 } 1931 return ev.BaseEvent.ProcessContext.Parent.ContainerID, nil 1932 case "process.parent.created_at": 1933 if !ev.BaseEvent.ProcessContext.HasParent() { 1934 return 0, &eval.ErrNotSupported{Field: field} 1935 } 1936 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)), nil 1937 case "process.parent.envp": 1938 if !ev.BaseEvent.ProcessContext.HasParent() { 1939 return []string{}, &eval.ErrNotSupported{Field: field} 1940 } 1941 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent), nil 1942 case "process.parent.envs": 1943 if !ev.BaseEvent.ProcessContext.HasParent() { 1944 return []string{}, &eval.ErrNotSupported{Field: field} 1945 } 1946 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent), nil 1947 case "process.parent.file.name": 1948 if !ev.BaseEvent.ProcessContext.HasParent() { 1949 return "", &eval.ErrNotSupported{Field: field} 1950 } 1951 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 1952 case "process.parent.file.name.length": 1953 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 1954 case "process.parent.file.path": 1955 if !ev.BaseEvent.ProcessContext.HasParent() { 1956 return "", &eval.ErrNotSupported{Field: field} 1957 } 1958 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 1959 case "process.parent.file.path.length": 1960 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 1961 case "process.parent.pid": 1962 if !ev.BaseEvent.ProcessContext.HasParent() { 1963 return 0, &eval.ErrNotSupported{Field: field} 1964 } 1965 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid), nil 1966 case "process.parent.ppid": 1967 if !ev.BaseEvent.ProcessContext.HasParent() { 1968 return 0, &eval.ErrNotSupported{Field: field} 1969 } 1970 return int(ev.BaseEvent.ProcessContext.Parent.PPid), nil 1971 case "process.parent.user": 1972 if !ev.BaseEvent.ProcessContext.HasParent() { 1973 return "", &eval.ErrNotSupported{Field: field} 1974 } 1975 return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent), nil 1976 case "process.parent.user_sid": 1977 if !ev.BaseEvent.ProcessContext.HasParent() { 1978 return "", &eval.ErrNotSupported{Field: field} 1979 } 1980 return ev.BaseEvent.ProcessContext.Parent.OwnerSidString, nil 1981 case "process.pid": 1982 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid), nil 1983 case "process.ppid": 1984 return int(ev.BaseEvent.ProcessContext.Process.PPid), nil 1985 case "process.user": 1986 return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process), nil 1987 case "process.user_sid": 1988 return ev.BaseEvent.ProcessContext.Process.OwnerSidString, nil 1989 case "rename.file.destination.device_path": 1990 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil 1991 case "rename.file.destination.device_path.length": 1992 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil 1993 case "rename.file.destination.name": 1994 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil 1995 case "rename.file.destination.name.length": 1996 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil 1997 case "rename.file.device_path": 1998 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil 1999 case "rename.file.device_path.length": 2000 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil 2001 case "rename.file.name": 2002 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil 2003 case "rename.file.name.length": 2004 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil 2005 case "set.registry.key_name": 2006 return ev.SetRegistryKeyValue.Registry.KeyName, nil 2007 case "set.registry.key_name.length": 2008 return len(ev.SetRegistryKeyValue.Registry.KeyName), nil 2009 case "set.registry.key_path": 2010 return ev.SetRegistryKeyValue.Registry.KeyPath, nil 2011 case "set.registry.key_path.length": 2012 return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil 2013 case "set.registry.value_name": 2014 return ev.SetRegistryKeyValue.ValueName, nil 2015 case "set.registry.value_name.length": 2016 return len(ev.SetRegistryKeyValue.ValueName), nil 2017 case "set.value_name": 2018 return ev.SetRegistryKeyValue.ValueName, nil 2019 case "set_key_value.registry.key_name": 2020 return ev.SetRegistryKeyValue.Registry.KeyName, nil 2021 case "set_key_value.registry.key_name.length": 2022 return len(ev.SetRegistryKeyValue.Registry.KeyName), nil 2023 case "set_key_value.registry.key_path": 2024 return ev.SetRegistryKeyValue.Registry.KeyPath, nil 2025 case "set_key_value.registry.key_path.length": 2026 return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil 2027 case "set_key_value.registry.value_name": 2028 return ev.SetRegistryKeyValue.ValueName, nil 2029 case "set_key_value.registry.value_name.length": 2030 return len(ev.SetRegistryKeyValue.ValueName), nil 2031 case "set_key_value.value_name": 2032 return ev.SetRegistryKeyValue.ValueName, nil 2033 case "write.file.device_path": 2034 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil 2035 case "write.file.device_path.length": 2036 return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil 2037 case "write.file.name": 2038 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil 2039 case "write.file.name.length": 2040 return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil 2041 } 2042 return nil, &eval.ErrFieldNotFound{Field: field} 2043 } 2044 func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) { 2045 switch field { 2046 case "container.created_at": 2047 return "*", nil 2048 case "container.id": 2049 return "*", nil 2050 case "container.tags": 2051 return "*", nil 2052 case "create.file.device_path": 2053 return "create", nil 2054 case "create.file.device_path.length": 2055 return "create", nil 2056 case "create.file.name": 2057 return "create", nil 2058 case "create.file.name.length": 2059 return "create", nil 2060 case "create.registry.key_name": 2061 return "create_key", nil 2062 case "create.registry.key_name.length": 2063 return "create_key", nil 2064 case "create.registry.key_path": 2065 return "create_key", nil 2066 case "create.registry.key_path.length": 2067 return "create_key", nil 2068 case "create_key.registry.key_name": 2069 return "create_key", nil 2070 case "create_key.registry.key_name.length": 2071 return "create_key", nil 2072 case "create_key.registry.key_path": 2073 return "create_key", nil 2074 case "create_key.registry.key_path.length": 2075 return "create_key", nil 2076 case "delete.file.device_path": 2077 return "delete", nil 2078 case "delete.file.device_path.length": 2079 return "delete", nil 2080 case "delete.file.name": 2081 return "delete", nil 2082 case "delete.file.name.length": 2083 return "delete", nil 2084 case "delete.registry.key_name": 2085 return "delete_key", nil 2086 case "delete.registry.key_name.length": 2087 return "delete_key", nil 2088 case "delete.registry.key_path": 2089 return "delete_key", nil 2090 case "delete.registry.key_path.length": 2091 return "delete_key", nil 2092 case "delete_key.registry.key_name": 2093 return "delete_key", nil 2094 case "delete_key.registry.key_name.length": 2095 return "delete_key", nil 2096 case "delete_key.registry.key_path": 2097 return "delete_key", nil 2098 case "delete_key.registry.key_path.length": 2099 return "delete_key", nil 2100 case "event.origin": 2101 return "*", nil 2102 case "event.os": 2103 return "*", nil 2104 case "event.service": 2105 return "*", nil 2106 case "event.timestamp": 2107 return "*", nil 2108 case "exec.cmdline": 2109 return "exec", nil 2110 case "exec.container.id": 2111 return "exec", nil 2112 case "exec.created_at": 2113 return "exec", nil 2114 case "exec.envp": 2115 return "exec", nil 2116 case "exec.envs": 2117 return "exec", nil 2118 case "exec.file.name": 2119 return "exec", nil 2120 case "exec.file.name.length": 2121 return "exec", nil 2122 case "exec.file.path": 2123 return "exec", nil 2124 case "exec.file.path.length": 2125 return "exec", nil 2126 case "exec.pid": 2127 return "exec", nil 2128 case "exec.ppid": 2129 return "exec", nil 2130 case "exec.user": 2131 return "exec", nil 2132 case "exec.user_sid": 2133 return "exec", nil 2134 case "exit.cause": 2135 return "exit", nil 2136 case "exit.cmdline": 2137 return "exit", nil 2138 case "exit.code": 2139 return "exit", nil 2140 case "exit.container.id": 2141 return "exit", nil 2142 case "exit.created_at": 2143 return "exit", nil 2144 case "exit.envp": 2145 return "exit", nil 2146 case "exit.envs": 2147 return "exit", nil 2148 case "exit.file.name": 2149 return "exit", nil 2150 case "exit.file.name.length": 2151 return "exit", nil 2152 case "exit.file.path": 2153 return "exit", nil 2154 case "exit.file.path.length": 2155 return "exit", nil 2156 case "exit.pid": 2157 return "exit", nil 2158 case "exit.ppid": 2159 return "exit", nil 2160 case "exit.user": 2161 return "exit", nil 2162 case "exit.user_sid": 2163 return "exit", nil 2164 case "open.registry.key_name": 2165 return "open_key", nil 2166 case "open.registry.key_name.length": 2167 return "open_key", nil 2168 case "open.registry.key_path": 2169 return "open_key", nil 2170 case "open.registry.key_path.length": 2171 return "open_key", nil 2172 case "open_key.registry.key_name": 2173 return "open_key", nil 2174 case "open_key.registry.key_name.length": 2175 return "open_key", nil 2176 case "open_key.registry.key_path": 2177 return "open_key", nil 2178 case "open_key.registry.key_path.length": 2179 return "open_key", nil 2180 case "process.ancestors.cmdline": 2181 return "*", nil 2182 case "process.ancestors.container.id": 2183 return "*", nil 2184 case "process.ancestors.created_at": 2185 return "*", nil 2186 case "process.ancestors.envp": 2187 return "*", nil 2188 case "process.ancestors.envs": 2189 return "*", nil 2190 case "process.ancestors.file.name": 2191 return "*", nil 2192 case "process.ancestors.file.name.length": 2193 return "*", nil 2194 case "process.ancestors.file.path": 2195 return "*", nil 2196 case "process.ancestors.file.path.length": 2197 return "*", nil 2198 case "process.ancestors.pid": 2199 return "*", nil 2200 case "process.ancestors.ppid": 2201 return "*", nil 2202 case "process.ancestors.user": 2203 return "*", nil 2204 case "process.ancestors.user_sid": 2205 return "*", nil 2206 case "process.cmdline": 2207 return "*", nil 2208 case "process.container.id": 2209 return "*", nil 2210 case "process.created_at": 2211 return "*", nil 2212 case "process.envp": 2213 return "*", nil 2214 case "process.envs": 2215 return "*", nil 2216 case "process.file.name": 2217 return "*", nil 2218 case "process.file.name.length": 2219 return "*", nil 2220 case "process.file.path": 2221 return "*", nil 2222 case "process.file.path.length": 2223 return "*", nil 2224 case "process.parent.cmdline": 2225 return "*", nil 2226 case "process.parent.container.id": 2227 return "*", nil 2228 case "process.parent.created_at": 2229 return "*", nil 2230 case "process.parent.envp": 2231 return "*", nil 2232 case "process.parent.envs": 2233 return "*", nil 2234 case "process.parent.file.name": 2235 return "*", nil 2236 case "process.parent.file.name.length": 2237 return "*", nil 2238 case "process.parent.file.path": 2239 return "*", nil 2240 case "process.parent.file.path.length": 2241 return "*", nil 2242 case "process.parent.pid": 2243 return "*", nil 2244 case "process.parent.ppid": 2245 return "*", nil 2246 case "process.parent.user": 2247 return "*", nil 2248 case "process.parent.user_sid": 2249 return "*", nil 2250 case "process.pid": 2251 return "*", nil 2252 case "process.ppid": 2253 return "*", nil 2254 case "process.user": 2255 return "*", nil 2256 case "process.user_sid": 2257 return "*", nil 2258 case "rename.file.destination.device_path": 2259 return "rename", nil 2260 case "rename.file.destination.device_path.length": 2261 return "rename", nil 2262 case "rename.file.destination.name": 2263 return "rename", nil 2264 case "rename.file.destination.name.length": 2265 return "rename", nil 2266 case "rename.file.device_path": 2267 return "rename", nil 2268 case "rename.file.device_path.length": 2269 return "rename", nil 2270 case "rename.file.name": 2271 return "rename", nil 2272 case "rename.file.name.length": 2273 return "rename", nil 2274 case "set.registry.key_name": 2275 return "set_key_value", nil 2276 case "set.registry.key_name.length": 2277 return "set_key_value", nil 2278 case "set.registry.key_path": 2279 return "set_key_value", nil 2280 case "set.registry.key_path.length": 2281 return "set_key_value", nil 2282 case "set.registry.value_name": 2283 return "set_key_value", nil 2284 case "set.registry.value_name.length": 2285 return "set_key_value", nil 2286 case "set.value_name": 2287 return "set_key_value", nil 2288 case "set_key_value.registry.key_name": 2289 return "set_key_value", nil 2290 case "set_key_value.registry.key_name.length": 2291 return "set_key_value", nil 2292 case "set_key_value.registry.key_path": 2293 return "set_key_value", nil 2294 case "set_key_value.registry.key_path.length": 2295 return "set_key_value", nil 2296 case "set_key_value.registry.value_name": 2297 return "set_key_value", nil 2298 case "set_key_value.registry.value_name.length": 2299 return "set_key_value", nil 2300 case "set_key_value.value_name": 2301 return "set_key_value", nil 2302 case "write.file.device_path": 2303 return "write", nil 2304 case "write.file.device_path.length": 2305 return "write", nil 2306 case "write.file.name": 2307 return "write", nil 2308 case "write.file.name.length": 2309 return "write", nil 2310 } 2311 return "", &eval.ErrFieldNotFound{Field: field} 2312 } 2313 func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) { 2314 switch field { 2315 case "container.created_at": 2316 return reflect.Int, nil 2317 case "container.id": 2318 return reflect.String, nil 2319 case "container.tags": 2320 return reflect.String, nil 2321 case "create.file.device_path": 2322 return reflect.String, nil 2323 case "create.file.device_path.length": 2324 return reflect.Int, nil 2325 case "create.file.name": 2326 return reflect.String, nil 2327 case "create.file.name.length": 2328 return reflect.Int, nil 2329 case "create.registry.key_name": 2330 return reflect.String, nil 2331 case "create.registry.key_name.length": 2332 return reflect.Int, nil 2333 case "create.registry.key_path": 2334 return reflect.String, nil 2335 case "create.registry.key_path.length": 2336 return reflect.Int, nil 2337 case "create_key.registry.key_name": 2338 return reflect.String, nil 2339 case "create_key.registry.key_name.length": 2340 return reflect.Int, nil 2341 case "create_key.registry.key_path": 2342 return reflect.String, nil 2343 case "create_key.registry.key_path.length": 2344 return reflect.Int, nil 2345 case "delete.file.device_path": 2346 return reflect.String, nil 2347 case "delete.file.device_path.length": 2348 return reflect.Int, nil 2349 case "delete.file.name": 2350 return reflect.String, nil 2351 case "delete.file.name.length": 2352 return reflect.Int, nil 2353 case "delete.registry.key_name": 2354 return reflect.String, nil 2355 case "delete.registry.key_name.length": 2356 return reflect.Int, nil 2357 case "delete.registry.key_path": 2358 return reflect.String, nil 2359 case "delete.registry.key_path.length": 2360 return reflect.Int, nil 2361 case "delete_key.registry.key_name": 2362 return reflect.String, nil 2363 case "delete_key.registry.key_name.length": 2364 return reflect.Int, nil 2365 case "delete_key.registry.key_path": 2366 return reflect.String, nil 2367 case "delete_key.registry.key_path.length": 2368 return reflect.Int, nil 2369 case "event.origin": 2370 return reflect.String, nil 2371 case "event.os": 2372 return reflect.String, nil 2373 case "event.service": 2374 return reflect.String, nil 2375 case "event.timestamp": 2376 return reflect.Int, nil 2377 case "exec.cmdline": 2378 return reflect.String, nil 2379 case "exec.container.id": 2380 return reflect.String, nil 2381 case "exec.created_at": 2382 return reflect.Int, nil 2383 case "exec.envp": 2384 return reflect.String, nil 2385 case "exec.envs": 2386 return reflect.String, nil 2387 case "exec.file.name": 2388 return reflect.String, nil 2389 case "exec.file.name.length": 2390 return reflect.Int, nil 2391 case "exec.file.path": 2392 return reflect.String, nil 2393 case "exec.file.path.length": 2394 return reflect.Int, nil 2395 case "exec.pid": 2396 return reflect.Int, nil 2397 case "exec.ppid": 2398 return reflect.Int, nil 2399 case "exec.user": 2400 return reflect.String, nil 2401 case "exec.user_sid": 2402 return reflect.String, nil 2403 case "exit.cause": 2404 return reflect.Int, nil 2405 case "exit.cmdline": 2406 return reflect.String, nil 2407 case "exit.code": 2408 return reflect.Int, nil 2409 case "exit.container.id": 2410 return reflect.String, nil 2411 case "exit.created_at": 2412 return reflect.Int, nil 2413 case "exit.envp": 2414 return reflect.String, nil 2415 case "exit.envs": 2416 return reflect.String, nil 2417 case "exit.file.name": 2418 return reflect.String, nil 2419 case "exit.file.name.length": 2420 return reflect.Int, nil 2421 case "exit.file.path": 2422 return reflect.String, nil 2423 case "exit.file.path.length": 2424 return reflect.Int, nil 2425 case "exit.pid": 2426 return reflect.Int, nil 2427 case "exit.ppid": 2428 return reflect.Int, nil 2429 case "exit.user": 2430 return reflect.String, nil 2431 case "exit.user_sid": 2432 return reflect.String, nil 2433 case "open.registry.key_name": 2434 return reflect.String, nil 2435 case "open.registry.key_name.length": 2436 return reflect.Int, nil 2437 case "open.registry.key_path": 2438 return reflect.String, nil 2439 case "open.registry.key_path.length": 2440 return reflect.Int, nil 2441 case "open_key.registry.key_name": 2442 return reflect.String, nil 2443 case "open_key.registry.key_name.length": 2444 return reflect.Int, nil 2445 case "open_key.registry.key_path": 2446 return reflect.String, nil 2447 case "open_key.registry.key_path.length": 2448 return reflect.Int, nil 2449 case "process.ancestors.cmdline": 2450 return reflect.String, nil 2451 case "process.ancestors.container.id": 2452 return reflect.String, nil 2453 case "process.ancestors.created_at": 2454 return reflect.Int, nil 2455 case "process.ancestors.envp": 2456 return reflect.String, nil 2457 case "process.ancestors.envs": 2458 return reflect.String, nil 2459 case "process.ancestors.file.name": 2460 return reflect.String, nil 2461 case "process.ancestors.file.name.length": 2462 return reflect.Int, nil 2463 case "process.ancestors.file.path": 2464 return reflect.String, nil 2465 case "process.ancestors.file.path.length": 2466 return reflect.Int, nil 2467 case "process.ancestors.pid": 2468 return reflect.Int, nil 2469 case "process.ancestors.ppid": 2470 return reflect.Int, nil 2471 case "process.ancestors.user": 2472 return reflect.String, nil 2473 case "process.ancestors.user_sid": 2474 return reflect.String, nil 2475 case "process.cmdline": 2476 return reflect.String, nil 2477 case "process.container.id": 2478 return reflect.String, nil 2479 case "process.created_at": 2480 return reflect.Int, nil 2481 case "process.envp": 2482 return reflect.String, nil 2483 case "process.envs": 2484 return reflect.String, nil 2485 case "process.file.name": 2486 return reflect.String, nil 2487 case "process.file.name.length": 2488 return reflect.Int, nil 2489 case "process.file.path": 2490 return reflect.String, nil 2491 case "process.file.path.length": 2492 return reflect.Int, nil 2493 case "process.parent.cmdline": 2494 return reflect.String, nil 2495 case "process.parent.container.id": 2496 return reflect.String, nil 2497 case "process.parent.created_at": 2498 return reflect.Int, nil 2499 case "process.parent.envp": 2500 return reflect.String, nil 2501 case "process.parent.envs": 2502 return reflect.String, nil 2503 case "process.parent.file.name": 2504 return reflect.String, nil 2505 case "process.parent.file.name.length": 2506 return reflect.Int, nil 2507 case "process.parent.file.path": 2508 return reflect.String, nil 2509 case "process.parent.file.path.length": 2510 return reflect.Int, nil 2511 case "process.parent.pid": 2512 return reflect.Int, nil 2513 case "process.parent.ppid": 2514 return reflect.Int, nil 2515 case "process.parent.user": 2516 return reflect.String, nil 2517 case "process.parent.user_sid": 2518 return reflect.String, nil 2519 case "process.pid": 2520 return reflect.Int, nil 2521 case "process.ppid": 2522 return reflect.Int, nil 2523 case "process.user": 2524 return reflect.String, nil 2525 case "process.user_sid": 2526 return reflect.String, nil 2527 case "rename.file.destination.device_path": 2528 return reflect.String, nil 2529 case "rename.file.destination.device_path.length": 2530 return reflect.Int, nil 2531 case "rename.file.destination.name": 2532 return reflect.String, nil 2533 case "rename.file.destination.name.length": 2534 return reflect.Int, nil 2535 case "rename.file.device_path": 2536 return reflect.String, nil 2537 case "rename.file.device_path.length": 2538 return reflect.Int, nil 2539 case "rename.file.name": 2540 return reflect.String, nil 2541 case "rename.file.name.length": 2542 return reflect.Int, nil 2543 case "set.registry.key_name": 2544 return reflect.String, nil 2545 case "set.registry.key_name.length": 2546 return reflect.Int, nil 2547 case "set.registry.key_path": 2548 return reflect.String, nil 2549 case "set.registry.key_path.length": 2550 return reflect.Int, nil 2551 case "set.registry.value_name": 2552 return reflect.String, nil 2553 case "set.registry.value_name.length": 2554 return reflect.Int, nil 2555 case "set.value_name": 2556 return reflect.String, nil 2557 case "set_key_value.registry.key_name": 2558 return reflect.String, nil 2559 case "set_key_value.registry.key_name.length": 2560 return reflect.Int, nil 2561 case "set_key_value.registry.key_path": 2562 return reflect.String, nil 2563 case "set_key_value.registry.key_path.length": 2564 return reflect.Int, nil 2565 case "set_key_value.registry.value_name": 2566 return reflect.String, nil 2567 case "set_key_value.registry.value_name.length": 2568 return reflect.Int, nil 2569 case "set_key_value.value_name": 2570 return reflect.String, nil 2571 case "write.file.device_path": 2572 return reflect.String, nil 2573 case "write.file.device_path.length": 2574 return reflect.Int, nil 2575 case "write.file.name": 2576 return reflect.String, nil 2577 case "write.file.name.length": 2578 return reflect.Int, nil 2579 } 2580 return reflect.Invalid, &eval.ErrFieldNotFound{Field: field} 2581 } 2582 func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error { 2583 switch field { 2584 case "container.created_at": 2585 if ev.BaseEvent.ContainerContext == nil { 2586 ev.BaseEvent.ContainerContext = &ContainerContext{} 2587 } 2588 rv, ok := value.(int) 2589 if !ok { 2590 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.CreatedAt"} 2591 } 2592 ev.BaseEvent.ContainerContext.CreatedAt = uint64(rv) 2593 return nil 2594 case "container.id": 2595 if ev.BaseEvent.ContainerContext == nil { 2596 ev.BaseEvent.ContainerContext = &ContainerContext{} 2597 } 2598 rv, ok := value.(string) 2599 if !ok { 2600 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.ID"} 2601 } 2602 ev.BaseEvent.ContainerContext.ID = rv 2603 return nil 2604 case "container.tags": 2605 if ev.BaseEvent.ContainerContext == nil { 2606 ev.BaseEvent.ContainerContext = &ContainerContext{} 2607 } 2608 switch rv := value.(type) { 2609 case string: 2610 ev.BaseEvent.ContainerContext.Tags = append(ev.BaseEvent.ContainerContext.Tags, rv) 2611 case []string: 2612 ev.BaseEvent.ContainerContext.Tags = append(ev.BaseEvent.ContainerContext.Tags, rv...) 2613 default: 2614 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.Tags"} 2615 } 2616 return nil 2617 case "create.file.device_path": 2618 rv, ok := value.(string) 2619 if !ok { 2620 return &eval.ErrValueTypeMismatch{Field: "CreateNewFile.File.PathnameStr"} 2621 } 2622 ev.CreateNewFile.File.PathnameStr = rv 2623 return nil 2624 case "create.file.device_path.length": 2625 return &eval.ErrFieldReadOnly{Field: "create.file.device_path.length"} 2626 case "create.file.name": 2627 rv, ok := value.(string) 2628 if !ok { 2629 return &eval.ErrValueTypeMismatch{Field: "CreateNewFile.File.BasenameStr"} 2630 } 2631 ev.CreateNewFile.File.BasenameStr = rv 2632 return nil 2633 case "create.file.name.length": 2634 return &eval.ErrFieldReadOnly{Field: "create.file.name.length"} 2635 case "create.registry.key_name": 2636 rv, ok := value.(string) 2637 if !ok { 2638 return &eval.ErrValueTypeMismatch{Field: "CreateRegistryKey.Registry.KeyName"} 2639 } 2640 ev.CreateRegistryKey.Registry.KeyName = rv 2641 return nil 2642 case "create.registry.key_name.length": 2643 return &eval.ErrFieldReadOnly{Field: "create.registry.key_name.length"} 2644 case "create.registry.key_path": 2645 rv, ok := value.(string) 2646 if !ok { 2647 return &eval.ErrValueTypeMismatch{Field: "CreateRegistryKey.Registry.KeyPath"} 2648 } 2649 ev.CreateRegistryKey.Registry.KeyPath = rv 2650 return nil 2651 case "create.registry.key_path.length": 2652 return &eval.ErrFieldReadOnly{Field: "create.registry.key_path.length"} 2653 case "create_key.registry.key_name": 2654 rv, ok := value.(string) 2655 if !ok { 2656 return &eval.ErrValueTypeMismatch{Field: "CreateRegistryKey.Registry.KeyName"} 2657 } 2658 ev.CreateRegistryKey.Registry.KeyName = rv 2659 return nil 2660 case "create_key.registry.key_name.length": 2661 return &eval.ErrFieldReadOnly{Field: "create_key.registry.key_name.length"} 2662 case "create_key.registry.key_path": 2663 rv, ok := value.(string) 2664 if !ok { 2665 return &eval.ErrValueTypeMismatch{Field: "CreateRegistryKey.Registry.KeyPath"} 2666 } 2667 ev.CreateRegistryKey.Registry.KeyPath = rv 2668 return nil 2669 case "create_key.registry.key_path.length": 2670 return &eval.ErrFieldReadOnly{Field: "create_key.registry.key_path.length"} 2671 case "delete.file.device_path": 2672 rv, ok := value.(string) 2673 if !ok { 2674 return &eval.ErrValueTypeMismatch{Field: "DeleteFile.File.PathnameStr"} 2675 } 2676 ev.DeleteFile.File.PathnameStr = rv 2677 return nil 2678 case "delete.file.device_path.length": 2679 return &eval.ErrFieldReadOnly{Field: "delete.file.device_path.length"} 2680 case "delete.file.name": 2681 rv, ok := value.(string) 2682 if !ok { 2683 return &eval.ErrValueTypeMismatch{Field: "DeleteFile.File.BasenameStr"} 2684 } 2685 ev.DeleteFile.File.BasenameStr = rv 2686 return nil 2687 case "delete.file.name.length": 2688 return &eval.ErrFieldReadOnly{Field: "delete.file.name.length"} 2689 case "delete.registry.key_name": 2690 rv, ok := value.(string) 2691 if !ok { 2692 return &eval.ErrValueTypeMismatch{Field: "DeleteRegistryKey.Registry.KeyName"} 2693 } 2694 ev.DeleteRegistryKey.Registry.KeyName = rv 2695 return nil 2696 case "delete.registry.key_name.length": 2697 return &eval.ErrFieldReadOnly{Field: "delete.registry.key_name.length"} 2698 case "delete.registry.key_path": 2699 rv, ok := value.(string) 2700 if !ok { 2701 return &eval.ErrValueTypeMismatch{Field: "DeleteRegistryKey.Registry.KeyPath"} 2702 } 2703 ev.DeleteRegistryKey.Registry.KeyPath = rv 2704 return nil 2705 case "delete.registry.key_path.length": 2706 return &eval.ErrFieldReadOnly{Field: "delete.registry.key_path.length"} 2707 case "delete_key.registry.key_name": 2708 rv, ok := value.(string) 2709 if !ok { 2710 return &eval.ErrValueTypeMismatch{Field: "DeleteRegistryKey.Registry.KeyName"} 2711 } 2712 ev.DeleteRegistryKey.Registry.KeyName = rv 2713 return nil 2714 case "delete_key.registry.key_name.length": 2715 return &eval.ErrFieldReadOnly{Field: "delete_key.registry.key_name.length"} 2716 case "delete_key.registry.key_path": 2717 rv, ok := value.(string) 2718 if !ok { 2719 return &eval.ErrValueTypeMismatch{Field: "DeleteRegistryKey.Registry.KeyPath"} 2720 } 2721 ev.DeleteRegistryKey.Registry.KeyPath = rv 2722 return nil 2723 case "delete_key.registry.key_path.length": 2724 return &eval.ErrFieldReadOnly{Field: "delete_key.registry.key_path.length"} 2725 case "event.origin": 2726 rv, ok := value.(string) 2727 if !ok { 2728 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Origin"} 2729 } 2730 ev.BaseEvent.Origin = rv 2731 return nil 2732 case "event.os": 2733 rv, ok := value.(string) 2734 if !ok { 2735 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Os"} 2736 } 2737 ev.BaseEvent.Os = rv 2738 return nil 2739 case "event.service": 2740 rv, ok := value.(string) 2741 if !ok { 2742 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Service"} 2743 } 2744 ev.BaseEvent.Service = rv 2745 return nil 2746 case "event.timestamp": 2747 rv, ok := value.(int) 2748 if !ok { 2749 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.TimestampRaw"} 2750 } 2751 ev.BaseEvent.TimestampRaw = uint64(rv) 2752 return nil 2753 case "exec.cmdline": 2754 if ev.Exec.Process == nil { 2755 ev.Exec.Process = &Process{} 2756 } 2757 rv, ok := value.(string) 2758 if !ok { 2759 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.CmdLine"} 2760 } 2761 ev.Exec.Process.CmdLine = rv 2762 return nil 2763 case "exec.container.id": 2764 if ev.Exec.Process == nil { 2765 ev.Exec.Process = &Process{} 2766 } 2767 rv, ok := value.(string) 2768 if !ok { 2769 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.ContainerID"} 2770 } 2771 ev.Exec.Process.ContainerID = rv 2772 return nil 2773 case "exec.created_at": 2774 if ev.Exec.Process == nil { 2775 ev.Exec.Process = &Process{} 2776 } 2777 rv, ok := value.(int) 2778 if !ok { 2779 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.CreatedAt"} 2780 } 2781 ev.Exec.Process.CreatedAt = uint64(rv) 2782 return nil 2783 case "exec.envp": 2784 if ev.Exec.Process == nil { 2785 ev.Exec.Process = &Process{} 2786 } 2787 switch rv := value.(type) { 2788 case string: 2789 ev.Exec.Process.Envp = append(ev.Exec.Process.Envp, rv) 2790 case []string: 2791 ev.Exec.Process.Envp = append(ev.Exec.Process.Envp, rv...) 2792 default: 2793 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Envp"} 2794 } 2795 return nil 2796 case "exec.envs": 2797 if ev.Exec.Process == nil { 2798 ev.Exec.Process = &Process{} 2799 } 2800 switch rv := value.(type) { 2801 case string: 2802 ev.Exec.Process.Envs = append(ev.Exec.Process.Envs, rv) 2803 case []string: 2804 ev.Exec.Process.Envs = append(ev.Exec.Process.Envs, rv...) 2805 default: 2806 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Envs"} 2807 } 2808 return nil 2809 case "exec.file.name": 2810 if ev.Exec.Process == nil { 2811 ev.Exec.Process = &Process{} 2812 } 2813 rv, ok := value.(string) 2814 if !ok { 2815 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.BasenameStr"} 2816 } 2817 ev.Exec.Process.FileEvent.BasenameStr = rv 2818 return nil 2819 case "exec.file.name.length": 2820 if ev.Exec.Process == nil { 2821 ev.Exec.Process = &Process{} 2822 } 2823 return &eval.ErrFieldReadOnly{Field: "exec.file.name.length"} 2824 case "exec.file.path": 2825 if ev.Exec.Process == nil { 2826 ev.Exec.Process = &Process{} 2827 } 2828 rv, ok := value.(string) 2829 if !ok { 2830 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.PathnameStr"} 2831 } 2832 ev.Exec.Process.FileEvent.PathnameStr = rv 2833 return nil 2834 case "exec.file.path.length": 2835 if ev.Exec.Process == nil { 2836 ev.Exec.Process = &Process{} 2837 } 2838 return &eval.ErrFieldReadOnly{Field: "exec.file.path.length"} 2839 case "exec.pid": 2840 if ev.Exec.Process == nil { 2841 ev.Exec.Process = &Process{} 2842 } 2843 rv, ok := value.(int) 2844 if !ok { 2845 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PIDContext.Pid"} 2846 } 2847 ev.Exec.Process.PIDContext.Pid = uint32(rv) 2848 return nil 2849 case "exec.ppid": 2850 if ev.Exec.Process == nil { 2851 ev.Exec.Process = &Process{} 2852 } 2853 rv, ok := value.(int) 2854 if !ok { 2855 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PPid"} 2856 } 2857 ev.Exec.Process.PPid = uint32(rv) 2858 return nil 2859 case "exec.user": 2860 if ev.Exec.Process == nil { 2861 ev.Exec.Process = &Process{} 2862 } 2863 rv, ok := value.(string) 2864 if !ok { 2865 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.User"} 2866 } 2867 ev.Exec.Process.User = rv 2868 return nil 2869 case "exec.user_sid": 2870 if ev.Exec.Process == nil { 2871 ev.Exec.Process = &Process{} 2872 } 2873 rv, ok := value.(string) 2874 if !ok { 2875 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.OwnerSidString"} 2876 } 2877 ev.Exec.Process.OwnerSidString = rv 2878 return nil 2879 case "exit.cause": 2880 rv, ok := value.(int) 2881 if !ok { 2882 return &eval.ErrValueTypeMismatch{Field: "Exit.Cause"} 2883 } 2884 ev.Exit.Cause = uint32(rv) 2885 return nil 2886 case "exit.cmdline": 2887 if ev.Exit.Process == nil { 2888 ev.Exit.Process = &Process{} 2889 } 2890 rv, ok := value.(string) 2891 if !ok { 2892 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.CmdLine"} 2893 } 2894 ev.Exit.Process.CmdLine = rv 2895 return nil 2896 case "exit.code": 2897 rv, ok := value.(int) 2898 if !ok { 2899 return &eval.ErrValueTypeMismatch{Field: "Exit.Code"} 2900 } 2901 ev.Exit.Code = uint32(rv) 2902 return nil 2903 case "exit.container.id": 2904 if ev.Exit.Process == nil { 2905 ev.Exit.Process = &Process{} 2906 } 2907 rv, ok := value.(string) 2908 if !ok { 2909 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.ContainerID"} 2910 } 2911 ev.Exit.Process.ContainerID = rv 2912 return nil 2913 case "exit.created_at": 2914 if ev.Exit.Process == nil { 2915 ev.Exit.Process = &Process{} 2916 } 2917 rv, ok := value.(int) 2918 if !ok { 2919 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.CreatedAt"} 2920 } 2921 ev.Exit.Process.CreatedAt = uint64(rv) 2922 return nil 2923 case "exit.envp": 2924 if ev.Exit.Process == nil { 2925 ev.Exit.Process = &Process{} 2926 } 2927 switch rv := value.(type) { 2928 case string: 2929 ev.Exit.Process.Envp = append(ev.Exit.Process.Envp, rv) 2930 case []string: 2931 ev.Exit.Process.Envp = append(ev.Exit.Process.Envp, rv...) 2932 default: 2933 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Envp"} 2934 } 2935 return nil 2936 case "exit.envs": 2937 if ev.Exit.Process == nil { 2938 ev.Exit.Process = &Process{} 2939 } 2940 switch rv := value.(type) { 2941 case string: 2942 ev.Exit.Process.Envs = append(ev.Exit.Process.Envs, rv) 2943 case []string: 2944 ev.Exit.Process.Envs = append(ev.Exit.Process.Envs, rv...) 2945 default: 2946 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Envs"} 2947 } 2948 return nil 2949 case "exit.file.name": 2950 if ev.Exit.Process == nil { 2951 ev.Exit.Process = &Process{} 2952 } 2953 rv, ok := value.(string) 2954 if !ok { 2955 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.BasenameStr"} 2956 } 2957 ev.Exit.Process.FileEvent.BasenameStr = rv 2958 return nil 2959 case "exit.file.name.length": 2960 if ev.Exit.Process == nil { 2961 ev.Exit.Process = &Process{} 2962 } 2963 return &eval.ErrFieldReadOnly{Field: "exit.file.name.length"} 2964 case "exit.file.path": 2965 if ev.Exit.Process == nil { 2966 ev.Exit.Process = &Process{} 2967 } 2968 rv, ok := value.(string) 2969 if !ok { 2970 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.PathnameStr"} 2971 } 2972 ev.Exit.Process.FileEvent.PathnameStr = rv 2973 return nil 2974 case "exit.file.path.length": 2975 if ev.Exit.Process == nil { 2976 ev.Exit.Process = &Process{} 2977 } 2978 return &eval.ErrFieldReadOnly{Field: "exit.file.path.length"} 2979 case "exit.pid": 2980 if ev.Exit.Process == nil { 2981 ev.Exit.Process = &Process{} 2982 } 2983 rv, ok := value.(int) 2984 if !ok { 2985 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PIDContext.Pid"} 2986 } 2987 ev.Exit.Process.PIDContext.Pid = uint32(rv) 2988 return nil 2989 case "exit.ppid": 2990 if ev.Exit.Process == nil { 2991 ev.Exit.Process = &Process{} 2992 } 2993 rv, ok := value.(int) 2994 if !ok { 2995 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PPid"} 2996 } 2997 ev.Exit.Process.PPid = uint32(rv) 2998 return nil 2999 case "exit.user": 3000 if ev.Exit.Process == nil { 3001 ev.Exit.Process = &Process{} 3002 } 3003 rv, ok := value.(string) 3004 if !ok { 3005 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.User"} 3006 } 3007 ev.Exit.Process.User = rv 3008 return nil 3009 case "exit.user_sid": 3010 if ev.Exit.Process == nil { 3011 ev.Exit.Process = &Process{} 3012 } 3013 rv, ok := value.(string) 3014 if !ok { 3015 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.OwnerSidString"} 3016 } 3017 ev.Exit.Process.OwnerSidString = rv 3018 return nil 3019 case "open.registry.key_name": 3020 rv, ok := value.(string) 3021 if !ok { 3022 return &eval.ErrValueTypeMismatch{Field: "OpenRegistryKey.Registry.KeyName"} 3023 } 3024 ev.OpenRegistryKey.Registry.KeyName = rv 3025 return nil 3026 case "open.registry.key_name.length": 3027 return &eval.ErrFieldReadOnly{Field: "open.registry.key_name.length"} 3028 case "open.registry.key_path": 3029 rv, ok := value.(string) 3030 if !ok { 3031 return &eval.ErrValueTypeMismatch{Field: "OpenRegistryKey.Registry.KeyPath"} 3032 } 3033 ev.OpenRegistryKey.Registry.KeyPath = rv 3034 return nil 3035 case "open.registry.key_path.length": 3036 return &eval.ErrFieldReadOnly{Field: "open.registry.key_path.length"} 3037 case "open_key.registry.key_name": 3038 rv, ok := value.(string) 3039 if !ok { 3040 return &eval.ErrValueTypeMismatch{Field: "OpenRegistryKey.Registry.KeyName"} 3041 } 3042 ev.OpenRegistryKey.Registry.KeyName = rv 3043 return nil 3044 case "open_key.registry.key_name.length": 3045 return &eval.ErrFieldReadOnly{Field: "open_key.registry.key_name.length"} 3046 case "open_key.registry.key_path": 3047 rv, ok := value.(string) 3048 if !ok { 3049 return &eval.ErrValueTypeMismatch{Field: "OpenRegistryKey.Registry.KeyPath"} 3050 } 3051 ev.OpenRegistryKey.Registry.KeyPath = rv 3052 return nil 3053 case "open_key.registry.key_path.length": 3054 return &eval.ErrFieldReadOnly{Field: "open_key.registry.key_path.length"} 3055 case "process.ancestors.cmdline": 3056 if ev.BaseEvent.ProcessContext == nil { 3057 ev.BaseEvent.ProcessContext = &ProcessContext{} 3058 } 3059 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3060 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3061 } 3062 rv, ok := value.(string) 3063 if !ok { 3064 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CmdLine"} 3065 } 3066 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CmdLine = rv 3067 return nil 3068 case "process.ancestors.container.id": 3069 if ev.BaseEvent.ProcessContext == nil { 3070 ev.BaseEvent.ProcessContext = &ProcessContext{} 3071 } 3072 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3073 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3074 } 3075 rv, ok := value.(string) 3076 if !ok { 3077 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ContainerID"} 3078 } 3079 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ContainerID = rv 3080 return nil 3081 case "process.ancestors.created_at": 3082 if ev.BaseEvent.ProcessContext == nil { 3083 ev.BaseEvent.ProcessContext = &ProcessContext{} 3084 } 3085 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3086 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3087 } 3088 rv, ok := value.(int) 3089 if !ok { 3090 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CreatedAt"} 3091 } 3092 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CreatedAt = uint64(rv) 3093 return nil 3094 case "process.ancestors.envp": 3095 if ev.BaseEvent.ProcessContext == nil { 3096 ev.BaseEvent.ProcessContext = &ProcessContext{} 3097 } 3098 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3099 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3100 } 3101 switch rv := value.(type) { 3102 case string: 3103 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp, rv) 3104 case []string: 3105 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp, rv...) 3106 default: 3107 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp"} 3108 } 3109 return nil 3110 case "process.ancestors.envs": 3111 if ev.BaseEvent.ProcessContext == nil { 3112 ev.BaseEvent.ProcessContext = &ProcessContext{} 3113 } 3114 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3115 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3116 } 3117 switch rv := value.(type) { 3118 case string: 3119 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs, rv) 3120 case []string: 3121 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs, rv...) 3122 default: 3123 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs"} 3124 } 3125 return nil 3126 case "process.ancestors.file.name": 3127 if ev.BaseEvent.ProcessContext == nil { 3128 ev.BaseEvent.ProcessContext = &ProcessContext{} 3129 } 3130 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3131 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3132 } 3133 rv, ok := value.(string) 3134 if !ok { 3135 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.BasenameStr"} 3136 } 3137 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.BasenameStr = rv 3138 return nil 3139 case "process.ancestors.file.name.length": 3140 if ev.BaseEvent.ProcessContext == nil { 3141 ev.BaseEvent.ProcessContext = &ProcessContext{} 3142 } 3143 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3144 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3145 } 3146 return &eval.ErrFieldReadOnly{Field: "process.ancestors.file.name.length"} 3147 case "process.ancestors.file.path": 3148 if ev.BaseEvent.ProcessContext == nil { 3149 ev.BaseEvent.ProcessContext = &ProcessContext{} 3150 } 3151 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3152 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3153 } 3154 rv, ok := value.(string) 3155 if !ok { 3156 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PathnameStr"} 3157 } 3158 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PathnameStr = rv 3159 return nil 3160 case "process.ancestors.file.path.length": 3161 if ev.BaseEvent.ProcessContext == nil { 3162 ev.BaseEvent.ProcessContext = &ProcessContext{} 3163 } 3164 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3165 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3166 } 3167 return &eval.ErrFieldReadOnly{Field: "process.ancestors.file.path.length"} 3168 case "process.ancestors.pid": 3169 if ev.BaseEvent.ProcessContext == nil { 3170 ev.BaseEvent.ProcessContext = &ProcessContext{} 3171 } 3172 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3173 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3174 } 3175 rv, ok := value.(int) 3176 if !ok { 3177 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Pid"} 3178 } 3179 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Pid = uint32(rv) 3180 return nil 3181 case "process.ancestors.ppid": 3182 if ev.BaseEvent.ProcessContext == nil { 3183 ev.BaseEvent.ProcessContext = &ProcessContext{} 3184 } 3185 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3186 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3187 } 3188 rv, ok := value.(int) 3189 if !ok { 3190 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PPid"} 3191 } 3192 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PPid = uint32(rv) 3193 return nil 3194 case "process.ancestors.user": 3195 if ev.BaseEvent.ProcessContext == nil { 3196 ev.BaseEvent.ProcessContext = &ProcessContext{} 3197 } 3198 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3199 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3200 } 3201 rv, ok := value.(string) 3202 if !ok { 3203 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.User"} 3204 } 3205 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.User = rv 3206 return nil 3207 case "process.ancestors.user_sid": 3208 if ev.BaseEvent.ProcessContext == nil { 3209 ev.BaseEvent.ProcessContext = &ProcessContext{} 3210 } 3211 if ev.BaseEvent.ProcessContext.Ancestor == nil { 3212 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 3213 } 3214 rv, ok := value.(string) 3215 if !ok { 3216 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.OwnerSidString"} 3217 } 3218 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.OwnerSidString = rv 3219 return nil 3220 case "process.cmdline": 3221 if ev.BaseEvent.ProcessContext == nil { 3222 ev.BaseEvent.ProcessContext = &ProcessContext{} 3223 } 3224 rv, ok := value.(string) 3225 if !ok { 3226 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.CmdLine"} 3227 } 3228 ev.BaseEvent.ProcessContext.Process.CmdLine = rv 3229 return nil 3230 case "process.container.id": 3231 if ev.BaseEvent.ProcessContext == nil { 3232 ev.BaseEvent.ProcessContext = &ProcessContext{} 3233 } 3234 rv, ok := value.(string) 3235 if !ok { 3236 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.ContainerID"} 3237 } 3238 ev.BaseEvent.ProcessContext.Process.ContainerID = rv 3239 return nil 3240 case "process.created_at": 3241 if ev.BaseEvent.ProcessContext == nil { 3242 ev.BaseEvent.ProcessContext = &ProcessContext{} 3243 } 3244 rv, ok := value.(int) 3245 if !ok { 3246 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.CreatedAt"} 3247 } 3248 ev.BaseEvent.ProcessContext.Process.CreatedAt = uint64(rv) 3249 return nil 3250 case "process.envp": 3251 if ev.BaseEvent.ProcessContext == nil { 3252 ev.BaseEvent.ProcessContext = &ProcessContext{} 3253 } 3254 switch rv := value.(type) { 3255 case string: 3256 ev.BaseEvent.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Process.Envp, rv) 3257 case []string: 3258 ev.BaseEvent.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Process.Envp, rv...) 3259 default: 3260 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Envp"} 3261 } 3262 return nil 3263 case "process.envs": 3264 if ev.BaseEvent.ProcessContext == nil { 3265 ev.BaseEvent.ProcessContext = &ProcessContext{} 3266 } 3267 switch rv := value.(type) { 3268 case string: 3269 ev.BaseEvent.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Process.Envs, rv) 3270 case []string: 3271 ev.BaseEvent.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Process.Envs, rv...) 3272 default: 3273 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Envs"} 3274 } 3275 return nil 3276 case "process.file.name": 3277 if ev.BaseEvent.ProcessContext == nil { 3278 ev.BaseEvent.ProcessContext = &ProcessContext{} 3279 } 3280 rv, ok := value.(string) 3281 if !ok { 3282 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.BasenameStr"} 3283 } 3284 ev.BaseEvent.ProcessContext.Process.FileEvent.BasenameStr = rv 3285 return nil 3286 case "process.file.name.length": 3287 if ev.BaseEvent.ProcessContext == nil { 3288 ev.BaseEvent.ProcessContext = &ProcessContext{} 3289 } 3290 return &eval.ErrFieldReadOnly{Field: "process.file.name.length"} 3291 case "process.file.path": 3292 if ev.BaseEvent.ProcessContext == nil { 3293 ev.BaseEvent.ProcessContext = &ProcessContext{} 3294 } 3295 rv, ok := value.(string) 3296 if !ok { 3297 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.PathnameStr"} 3298 } 3299 ev.BaseEvent.ProcessContext.Process.FileEvent.PathnameStr = rv 3300 return nil 3301 case "process.file.path.length": 3302 if ev.BaseEvent.ProcessContext == nil { 3303 ev.BaseEvent.ProcessContext = &ProcessContext{} 3304 } 3305 return &eval.ErrFieldReadOnly{Field: "process.file.path.length"} 3306 case "process.parent.cmdline": 3307 if ev.BaseEvent.ProcessContext == nil { 3308 ev.BaseEvent.ProcessContext = &ProcessContext{} 3309 } 3310 if ev.BaseEvent.ProcessContext.Parent == nil { 3311 ev.BaseEvent.ProcessContext.Parent = &Process{} 3312 } 3313 rv, ok := value.(string) 3314 if !ok { 3315 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.CmdLine"} 3316 } 3317 ev.BaseEvent.ProcessContext.Parent.CmdLine = rv 3318 return nil 3319 case "process.parent.container.id": 3320 if ev.BaseEvent.ProcessContext == nil { 3321 ev.BaseEvent.ProcessContext = &ProcessContext{} 3322 } 3323 if ev.BaseEvent.ProcessContext.Parent == nil { 3324 ev.BaseEvent.ProcessContext.Parent = &Process{} 3325 } 3326 rv, ok := value.(string) 3327 if !ok { 3328 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.ContainerID"} 3329 } 3330 ev.BaseEvent.ProcessContext.Parent.ContainerID = rv 3331 return nil 3332 case "process.parent.created_at": 3333 if ev.BaseEvent.ProcessContext == nil { 3334 ev.BaseEvent.ProcessContext = &ProcessContext{} 3335 } 3336 if ev.BaseEvent.ProcessContext.Parent == nil { 3337 ev.BaseEvent.ProcessContext.Parent = &Process{} 3338 } 3339 rv, ok := value.(int) 3340 if !ok { 3341 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.CreatedAt"} 3342 } 3343 ev.BaseEvent.ProcessContext.Parent.CreatedAt = uint64(rv) 3344 return nil 3345 case "process.parent.envp": 3346 if ev.BaseEvent.ProcessContext == nil { 3347 ev.BaseEvent.ProcessContext = &ProcessContext{} 3348 } 3349 if ev.BaseEvent.ProcessContext.Parent == nil { 3350 ev.BaseEvent.ProcessContext.Parent = &Process{} 3351 } 3352 switch rv := value.(type) { 3353 case string: 3354 ev.BaseEvent.ProcessContext.Parent.Envp = append(ev.BaseEvent.ProcessContext.Parent.Envp, rv) 3355 case []string: 3356 ev.BaseEvent.ProcessContext.Parent.Envp = append(ev.BaseEvent.ProcessContext.Parent.Envp, rv...) 3357 default: 3358 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Envp"} 3359 } 3360 return nil 3361 case "process.parent.envs": 3362 if ev.BaseEvent.ProcessContext == nil { 3363 ev.BaseEvent.ProcessContext = &ProcessContext{} 3364 } 3365 if ev.BaseEvent.ProcessContext.Parent == nil { 3366 ev.BaseEvent.ProcessContext.Parent = &Process{} 3367 } 3368 switch rv := value.(type) { 3369 case string: 3370 ev.BaseEvent.ProcessContext.Parent.Envs = append(ev.BaseEvent.ProcessContext.Parent.Envs, rv) 3371 case []string: 3372 ev.BaseEvent.ProcessContext.Parent.Envs = append(ev.BaseEvent.ProcessContext.Parent.Envs, rv...) 3373 default: 3374 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Envs"} 3375 } 3376 return nil 3377 case "process.parent.file.name": 3378 if ev.BaseEvent.ProcessContext == nil { 3379 ev.BaseEvent.ProcessContext = &ProcessContext{} 3380 } 3381 if ev.BaseEvent.ProcessContext.Parent == nil { 3382 ev.BaseEvent.ProcessContext.Parent = &Process{} 3383 } 3384 rv, ok := value.(string) 3385 if !ok { 3386 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.BasenameStr"} 3387 } 3388 ev.BaseEvent.ProcessContext.Parent.FileEvent.BasenameStr = rv 3389 return nil 3390 case "process.parent.file.name.length": 3391 if ev.BaseEvent.ProcessContext == nil { 3392 ev.BaseEvent.ProcessContext = &ProcessContext{} 3393 } 3394 if ev.BaseEvent.ProcessContext.Parent == nil { 3395 ev.BaseEvent.ProcessContext.Parent = &Process{} 3396 } 3397 return &eval.ErrFieldReadOnly{Field: "process.parent.file.name.length"} 3398 case "process.parent.file.path": 3399 if ev.BaseEvent.ProcessContext == nil { 3400 ev.BaseEvent.ProcessContext = &ProcessContext{} 3401 } 3402 if ev.BaseEvent.ProcessContext.Parent == nil { 3403 ev.BaseEvent.ProcessContext.Parent = &Process{} 3404 } 3405 rv, ok := value.(string) 3406 if !ok { 3407 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.PathnameStr"} 3408 } 3409 ev.BaseEvent.ProcessContext.Parent.FileEvent.PathnameStr = rv 3410 return nil 3411 case "process.parent.file.path.length": 3412 if ev.BaseEvent.ProcessContext == nil { 3413 ev.BaseEvent.ProcessContext = &ProcessContext{} 3414 } 3415 if ev.BaseEvent.ProcessContext.Parent == nil { 3416 ev.BaseEvent.ProcessContext.Parent = &Process{} 3417 } 3418 return &eval.ErrFieldReadOnly{Field: "process.parent.file.path.length"} 3419 case "process.parent.pid": 3420 if ev.BaseEvent.ProcessContext == nil { 3421 ev.BaseEvent.ProcessContext = &ProcessContext{} 3422 } 3423 if ev.BaseEvent.ProcessContext.Parent == nil { 3424 ev.BaseEvent.ProcessContext.Parent = &Process{} 3425 } 3426 rv, ok := value.(int) 3427 if !ok { 3428 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PIDContext.Pid"} 3429 } 3430 ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid = uint32(rv) 3431 return nil 3432 case "process.parent.ppid": 3433 if ev.BaseEvent.ProcessContext == nil { 3434 ev.BaseEvent.ProcessContext = &ProcessContext{} 3435 } 3436 if ev.BaseEvent.ProcessContext.Parent == nil { 3437 ev.BaseEvent.ProcessContext.Parent = &Process{} 3438 } 3439 rv, ok := value.(int) 3440 if !ok { 3441 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PPid"} 3442 } 3443 ev.BaseEvent.ProcessContext.Parent.PPid = uint32(rv) 3444 return nil 3445 case "process.parent.user": 3446 if ev.BaseEvent.ProcessContext == nil { 3447 ev.BaseEvent.ProcessContext = &ProcessContext{} 3448 } 3449 if ev.BaseEvent.ProcessContext.Parent == nil { 3450 ev.BaseEvent.ProcessContext.Parent = &Process{} 3451 } 3452 rv, ok := value.(string) 3453 if !ok { 3454 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.User"} 3455 } 3456 ev.BaseEvent.ProcessContext.Parent.User = rv 3457 return nil 3458 case "process.parent.user_sid": 3459 if ev.BaseEvent.ProcessContext == nil { 3460 ev.BaseEvent.ProcessContext = &ProcessContext{} 3461 } 3462 if ev.BaseEvent.ProcessContext.Parent == nil { 3463 ev.BaseEvent.ProcessContext.Parent = &Process{} 3464 } 3465 rv, ok := value.(string) 3466 if !ok { 3467 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.OwnerSidString"} 3468 } 3469 ev.BaseEvent.ProcessContext.Parent.OwnerSidString = rv 3470 return nil 3471 case "process.pid": 3472 if ev.BaseEvent.ProcessContext == nil { 3473 ev.BaseEvent.ProcessContext = &ProcessContext{} 3474 } 3475 rv, ok := value.(int) 3476 if !ok { 3477 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PIDContext.Pid"} 3478 } 3479 ev.BaseEvent.ProcessContext.Process.PIDContext.Pid = uint32(rv) 3480 return nil 3481 case "process.ppid": 3482 if ev.BaseEvent.ProcessContext == nil { 3483 ev.BaseEvent.ProcessContext = &ProcessContext{} 3484 } 3485 rv, ok := value.(int) 3486 if !ok { 3487 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PPid"} 3488 } 3489 ev.BaseEvent.ProcessContext.Process.PPid = uint32(rv) 3490 return nil 3491 case "process.user": 3492 if ev.BaseEvent.ProcessContext == nil { 3493 ev.BaseEvent.ProcessContext = &ProcessContext{} 3494 } 3495 rv, ok := value.(string) 3496 if !ok { 3497 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.User"} 3498 } 3499 ev.BaseEvent.ProcessContext.Process.User = rv 3500 return nil 3501 case "process.user_sid": 3502 if ev.BaseEvent.ProcessContext == nil { 3503 ev.BaseEvent.ProcessContext = &ProcessContext{} 3504 } 3505 rv, ok := value.(string) 3506 if !ok { 3507 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.OwnerSidString"} 3508 } 3509 ev.BaseEvent.ProcessContext.Process.OwnerSidString = rv 3510 return nil 3511 case "rename.file.destination.device_path": 3512 rv, ok := value.(string) 3513 if !ok { 3514 return &eval.ErrValueTypeMismatch{Field: "RenameFile.New.PathnameStr"} 3515 } 3516 ev.RenameFile.New.PathnameStr = rv 3517 return nil 3518 case "rename.file.destination.device_path.length": 3519 return &eval.ErrFieldReadOnly{Field: "rename.file.destination.device_path.length"} 3520 case "rename.file.destination.name": 3521 rv, ok := value.(string) 3522 if !ok { 3523 return &eval.ErrValueTypeMismatch{Field: "RenameFile.New.BasenameStr"} 3524 } 3525 ev.RenameFile.New.BasenameStr = rv 3526 return nil 3527 case "rename.file.destination.name.length": 3528 return &eval.ErrFieldReadOnly{Field: "rename.file.destination.name.length"} 3529 case "rename.file.device_path": 3530 rv, ok := value.(string) 3531 if !ok { 3532 return &eval.ErrValueTypeMismatch{Field: "RenameFile.Old.PathnameStr"} 3533 } 3534 ev.RenameFile.Old.PathnameStr = rv 3535 return nil 3536 case "rename.file.device_path.length": 3537 return &eval.ErrFieldReadOnly{Field: "rename.file.device_path.length"} 3538 case "rename.file.name": 3539 rv, ok := value.(string) 3540 if !ok { 3541 return &eval.ErrValueTypeMismatch{Field: "RenameFile.Old.BasenameStr"} 3542 } 3543 ev.RenameFile.Old.BasenameStr = rv 3544 return nil 3545 case "rename.file.name.length": 3546 return &eval.ErrFieldReadOnly{Field: "rename.file.name.length"} 3547 case "set.registry.key_name": 3548 rv, ok := value.(string) 3549 if !ok { 3550 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.Registry.KeyName"} 3551 } 3552 ev.SetRegistryKeyValue.Registry.KeyName = rv 3553 return nil 3554 case "set.registry.key_name.length": 3555 return &eval.ErrFieldReadOnly{Field: "set.registry.key_name.length"} 3556 case "set.registry.key_path": 3557 rv, ok := value.(string) 3558 if !ok { 3559 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.Registry.KeyPath"} 3560 } 3561 ev.SetRegistryKeyValue.Registry.KeyPath = rv 3562 return nil 3563 case "set.registry.key_path.length": 3564 return &eval.ErrFieldReadOnly{Field: "set.registry.key_path.length"} 3565 case "set.registry.value_name": 3566 rv, ok := value.(string) 3567 if !ok { 3568 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.ValueName"} 3569 } 3570 ev.SetRegistryKeyValue.ValueName = rv 3571 return nil 3572 case "set.registry.value_name.length": 3573 return &eval.ErrFieldReadOnly{Field: "set.registry.value_name.length"} 3574 case "set.value_name": 3575 rv, ok := value.(string) 3576 if !ok { 3577 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.ValueName"} 3578 } 3579 ev.SetRegistryKeyValue.ValueName = rv 3580 return nil 3581 case "set_key_value.registry.key_name": 3582 rv, ok := value.(string) 3583 if !ok { 3584 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.Registry.KeyName"} 3585 } 3586 ev.SetRegistryKeyValue.Registry.KeyName = rv 3587 return nil 3588 case "set_key_value.registry.key_name.length": 3589 return &eval.ErrFieldReadOnly{Field: "set_key_value.registry.key_name.length"} 3590 case "set_key_value.registry.key_path": 3591 rv, ok := value.(string) 3592 if !ok { 3593 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.Registry.KeyPath"} 3594 } 3595 ev.SetRegistryKeyValue.Registry.KeyPath = rv 3596 return nil 3597 case "set_key_value.registry.key_path.length": 3598 return &eval.ErrFieldReadOnly{Field: "set_key_value.registry.key_path.length"} 3599 case "set_key_value.registry.value_name": 3600 rv, ok := value.(string) 3601 if !ok { 3602 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.ValueName"} 3603 } 3604 ev.SetRegistryKeyValue.ValueName = rv 3605 return nil 3606 case "set_key_value.registry.value_name.length": 3607 return &eval.ErrFieldReadOnly{Field: "set_key_value.registry.value_name.length"} 3608 case "set_key_value.value_name": 3609 rv, ok := value.(string) 3610 if !ok { 3611 return &eval.ErrValueTypeMismatch{Field: "SetRegistryKeyValue.ValueName"} 3612 } 3613 ev.SetRegistryKeyValue.ValueName = rv 3614 return nil 3615 case "write.file.device_path": 3616 rv, ok := value.(string) 3617 if !ok { 3618 return &eval.ErrValueTypeMismatch{Field: "WriteFile.File.PathnameStr"} 3619 } 3620 ev.WriteFile.File.PathnameStr = rv 3621 return nil 3622 case "write.file.device_path.length": 3623 return &eval.ErrFieldReadOnly{Field: "write.file.device_path.length"} 3624 case "write.file.name": 3625 rv, ok := value.(string) 3626 if !ok { 3627 return &eval.ErrValueTypeMismatch{Field: "WriteFile.File.BasenameStr"} 3628 } 3629 ev.WriteFile.File.BasenameStr = rv 3630 return nil 3631 case "write.file.name.length": 3632 return &eval.ErrFieldReadOnly{Field: "write.file.name.length"} 3633 } 3634 return &eval.ErrFieldNotFound{Field: field} 3635 }