OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.
EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw
EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")
this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.
... View more