Skip to content

[Enhancement] Add Script Entropy Fields to PowerShell events #15698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[Enhancement] Add Script Entropy Fields to PowerShell events #15698

wants to merge 4 commits into from

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Oct 20, 2025

Proposed commit message

Adds powershell.file.script_block_entropy and powershell.file.script_block_entropy_normalized
fields computed at ingest time using Shannon entropy. These fields quantify the character-level
randomness of PowerShell script blocks to provide context that will be used in detection logic.

Summary

Related to https://github.com/elastic/ia-trade-team/issues/704

Adds powershell.file.script_block_entropy and powershell.file.script_block_entropy_normalized fields.

Inspired by: Painless Parsing: Shannon Entropy Calculation - Services

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@w0rk3r w0rk3r self-assigned this Oct 20, 2025
@w0rk3r w0rk3r requested a review from a team as a code owner October 20, 2025 17:46
@w0rk3r w0rk3r added the enhancement New feature or request label Oct 20, 2025
@w0rk3r w0rk3r requested a review from a team as a code owner October 20, 2025 17:46
@w0rk3r w0rk3r added the Integration:windows Windows label Oct 20, 2025
@w0rk3r w0rk3r requested review from a team, faec and rdner October 20, 2025 17:46
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Oct 20, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

efd6
efd6 reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you can also calculate the entropy variance with very little extra work.

@w0rk3r w0rk3r marked this pull request as draft October 20, 2025 21:02
@elasticmachine
Copy link

elasticmachine commented Oct 21, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @w0rk3r

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

At least 1 approving review is required to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@w0rk3r @elasticmachine @efd6 @andrewkroh