[BUG] AccessMaskDescription field needs a more granular approach

[matthewscherer]

Related Issue https://github.com/elastic/sdh-beats/issues/5277

Describe the bug We are currently parsing the AccessMask field of all incoming security events and applying the descriptions below to the AccessMaskDescription field. For most events this is correct, however, in the case of event 4663 it is not. The code in question is here https://github.com/elastic/beats/blob/main/x-pack/winlogbeat/module/security/ingest/security.yml#L2203-L2232 and is released as the logs-system.security-1.61.1-standard ingest pipeline.

"AccessMaskDescriptions": {
  "0x00000001": "Create Child",
  "0x00000002": "Delete Child",
  "0x00000004": "List Contents",
  "0x00000008": "SELF",
  "0x00000010": "Read Property",
  "0x00000020": "Write Property",
  "0x00000040": "Delete Treee",
  "0x00000080": "List Object",
  "0x00000100": "Control Access",
  "0x00010000": "DELETE",
  "0x00020000": "READ_CONTROL",
  "0x00040000": "WRITE_DAC",
  "0x00080000": "WRITE_OWNER",
  "0x00100000": "SYNCHRONIZE",
  "0x00F00000": "STANDARD_RIGHTS_REQUIRED",
  "0x001F0000": "STANDARD_RIGHTS_ALL",
  "0x0000FFFF": "SPECIFIC_RIGHTS_ALL",
  "0x01000000": "ADS_RIGHT_ACCESS_SYSTEM_SECURITY",
  "0x10000000": "ADS_RIGHT_GENERIC_ALL",
  "0x20000000": "ADS_RIGHT_GENERIC_EXECUTE",
  "0x40000000": "ADS_RIGHT_GENERIC_WRITE",
  "0x80000000": "ADS_RIGHT_GENERIC_READ"
}

An example event is here. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663 This event has an access mask of 0x6 which mean WriteData and AppendData but we're applying Delete Child and List Contents.

Expected behavior We will need to parse the AccessMask field based on the event id number and apply the correct descriptions.

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)