Plaso enumeration_helpers #982
Description
I'm using dftimewolf's plaso_ts recipe and the data type windows:registry:service fields like error_control, start_type and service_type aren't translated.
plaso\plaso\data\formatters\windows.yaml
enumeration_helpers:
- input_attribute: 'error_control'
output_attribute: 'error_control'
default_value: 'UNKNOWN'
values:
0: 'Ignore (0)'
1: 'Normal (1)'
2: 'Severe (2)'
3: 'Critical (3)'
- input_attribute: 'service_type'
output_attribute: 'service_type'
default_value: 'UNKNOWN'
values:
1: 'Kernel Device Driver (0x1)'
2: 'File System Driver (0x2)'
4: 'Adapter (0x4)'
16: 'Service - Own Process (0x10)'
32: 'Service - Share Process (0x20)'
- input_attribute: 'start_type'
output_attribute: 'start_type'
default_value: 'UNKNOWN'
values:
0: 'Boot (0)'
1: 'System (1)'
2: 'Auto Start (2)'
3: 'Manual (3)'
4: 'Disabled (4)'I'm not proficient in Plaso, but maybe the LocalPlasoProcessor needs to be modified to apply the enumeration_helpers