diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 823d6fdd23e..dfaca6462a4 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.2.3" + changes: + - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103. + type: bugfix + link: https://github.com/elastic/integrations/pull/16013 - version: "3.2.2" changes: - description: | diff --git a/packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json b/packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json index 1b7beb3b9ff..7302a48e536 100644 --- a/packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json +++ b/packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json @@ -49,10 +49,10 @@ "log": { "level": "Warning\u0000" }, + "message": "%OSDRIVE%\\USERS\\NICPE\\.VSCODE\\EXTENSIONS\\MS-VSCODE.POWERSHELL-2023.6.0\\MODULES\\PSSCRIPTANALYZER\\1.21.0\\PSSCRIPTANALYZER.PSM1 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.\u0000", "process": { "pid": 25192 }, - "message": "%OSDRIVE%\\USERS\\NICPE\\.VSCODE\\EXTENSIONS\\MS-VSCODE.POWERSHELL-2023.6.0\\MODULES\\PSSCRIPTANALYZER\\1.21.0\\PSSCRIPTANALYZER.PSM1 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.\u0000", "user": { "id": "S-1-5-21-2707992022-4034939591-3454028951-1001", "name": "nicpe" diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json index b8fae45df47..750ff7a98f8 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json @@ -275,6 +275,98 @@ "version": 1 } }, + { + "@timestamp": "2023-06-01T05:27:01.247Z", + "event": { + "action": "Executing Pipeline", + "code": "4103", + "kind": "event", + "provider": "Microsoft-Windows-PowerShell" + }, + "host": { + "name": "host.contoso.com" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n Engine Version = 5.1.17763.3770\n Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7213\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "winlog": { + "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "host.contoso.com", + "event_data": { + "ContextInfo": " Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = 1c251f62-545d-4d71-901e-b3445e459c2c\n Host Application = C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\n\nhttps://aka.ms/vscode-powershell\nType 'help' to get help.\n\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()\n Engine Version = 5.1.17763.3770\n Runspace ID = 9f8ee3e6-561c-4875-a882-a352509348b8\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7216833\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell", + "Payload": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"" + }, + "event_id": "4103", + "level": "information", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 2349, + "thread": { + "id": 32444 + } + }, + "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 5663677, + "task": "Executing Pipeline", + "time_created": "2023-06-01T05:27:01.2479769Z", + "user": { + "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "domain": "DESKTOP-6RJHI71", + "name": "JohnDoe", + "type": "User" + }, + "version": 1 + } + }, + { + "@timestamp": "2023-06-01T05:27:01.247Z", + "event": { + "action": "Executing Pipeline", + "code": "4103", + "kind": "event", + "provider": "Microsoft-Windows-PowerShell" + }, + "host": { + "name": "host.contoso.com" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n Engine Version = 5.1.17763.3770\n Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7213\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "winlog": { + "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "host.contoso.com", + "event_data": { + "ContextInfo": " Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = 1c251f62-545d-4d71-901e-b3445e459c2c\n Host Application = C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()\n Engine Version = 5.1.17763.3770\n Runspace ID = 9f8ee3e6-561c-4875-a882-a352509348b8\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7216833\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell", + "Payload": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"" + }, + "event_id": "4103", + "level": "information", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 2349, + "thread": { + "id": 32444 + } + }, + "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 5663677, + "task": "Executing Pipeline", + "time_created": "2023-06-01T05:27:01.2479769Z", + "user": { + "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "domain": "DESKTOP-6RJHI71", + "name": "JohnDoe", + "type": "User" + }, + "version": 1 + } + }, { "@timestamp": "2024-09-03T15:27:45.847Z", "event": { diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index 5a074116f4e..3b4a3715ad6 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -533,6 +533,312 @@ "version": 1 } }, + { + "@timestamp": "2023-06-01T05:27:01.247Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "Executing Pipeline", + "category": [ + "process" + ], + "code": "4103", + "kind": "event", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 7216833, + "type": [ + "info" + ] + }, + "host": { + "name": "host.contoso.com" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n Engine Version = 5.1.17763.3770\n Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7213\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Get-ItemProperty", + "type": "CommandInvocation", + "value": "\"Get-ItemProperty\"" + }, + { + "name": "\"Path\"", + "related_command": "Get-ItemProperty", + "type": "ParameterBinding", + "value": "\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"" + }, + { + "name": "\"Name\"", + "related_command": "Get-ItemProperty", + "type": "ParameterBinding", + "value": "\"Authentication Packages\"" + }, + { + "related_command": "Select-Object", + "type": "CommandInvocation", + "value": "\"Select-Object\"" + }, + { + "name": "\"ExpandProperty\"", + "related_command": "Select-Object", + "type": "ParameterBinding", + "value": "\"Authentication Packages\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Select-Object", + "type": "ParameterBinding", + "value": "\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"" + } + ], + "name": "Get-ItemProperty", + "type": "Cmdlet" + }, + "engine": { + "version": "5.1.17763.3770" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "2", + "process": { + "executable_version": "7.0.5000.0" + }, + "runspace_id": "9f8ee3e6-561c-4875-a882-a352509348b8" + }, + "process": { + "args": [ + "C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-NoProfile", + "-ExecutionPolicy", + "Bypass", + "-Command", + "Import-Module", + "'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1';", + "Start-EditorServices", + "-HostName", + "'Visual", + "Studio", + "Code", + "Host'", + "-HostProfileId", + "'Microsoft.VSCode'", + "-HostVersion", + "'2025.4.0'", + "-BundledModulesPath", + "'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules'", + "-EnableConsoleRepl", + "-StartupBanner", + "PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\n\nhttps://aka.ms/vscode-powershell\nType 'help' to get help.\n", + "-LogLevel", + "'Warning'", + "-LogPath", + "'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell'", + "-SessionDetailsPath", + "'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json'", + "-FeatureFlags", + "@()" + ], + "args_count": 30, + "command_line": "C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\n\nhttps://aka.ms/vscode-powershell\nType 'help' to get help.\n\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()", + "entity_id": "1c251f62-545d-4d71-901e-b3445e459c2c", + "pid": 2349, + "title": "OpsMgr PowerShell Host" + }, + "related": { + "hosts": [ + "DESKTOP-6RJHI71" + ], + "user": [ + "JohnDoe" + ] + }, + "user": { + "domain": "DESKTOP-6RJHI71", + "id": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "name": "JohnDoe" + }, + "winlog": { + "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "host.contoso.com", + "event_id": "4103", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 2349, + "thread": { + "id": 32444 + } + }, + "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "5663677", + "task": "Executing Pipeline", + "user": { + "domain": "DESKTOP-6RJHI71", + "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "name": "JohnDoe", + "type": "User" + }, + "version": 1 + } + }, + { + "@timestamp": "2023-06-01T05:27:01.247Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "Executing Pipeline", + "category": [ + "process" + ], + "code": "4103", + "kind": "event", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 7216833, + "type": [ + "info" + ] + }, + "host": { + "name": "host.contoso.com" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n Severity = Informational\n Host Name = OpsMgr PowerShell Host\n Host Version = 7.0.5000.0\n Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n Engine Version = 5.1.17763.3770\n Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n Pipeline ID = 2\n Command Name = Get-ItemProperty\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 7213\n User = CONTOSO\\SYSTEM\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Get-ItemProperty", + "type": "CommandInvocation", + "value": "\"Get-ItemProperty\"" + }, + { + "name": "\"Path\"", + "related_command": "Get-ItemProperty", + "type": "ParameterBinding", + "value": "\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"" + }, + { + "name": "\"Name\"", + "related_command": "Get-ItemProperty", + "type": "ParameterBinding", + "value": "\"Authentication Packages\"" + }, + { + "related_command": "Select-Object", + "type": "CommandInvocation", + "value": "\"Select-Object\"" + }, + { + "name": "\"ExpandProperty\"", + "related_command": "Select-Object", + "type": "ParameterBinding", + "value": "\"Authentication Packages\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Select-Object", + "type": "ParameterBinding", + "value": "\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"" + } + ], + "name": "Get-ItemProperty", + "type": "Cmdlet" + }, + "engine": { + "version": "5.1.17763.3770" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "2", + "process": { + "executable_version": "7.0.5000.0" + }, + "runspace_id": "9f8ee3e6-561c-4875-a882-a352509348b8" + }, + "process": { + "args": [ + "C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-NoProfile", + "-ExecutionPolicy", + "Bypass", + "-Command", + "Import-Module", + "'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1';", + "Start-EditorServices", + "-HostName", + "'Visual", + "Studio", + "Code", + "Host'", + "-HostProfileId", + "'Microsoft.VSCode'", + "-HostVersion", + "'2025.4.0'", + "-BundledModulesPath", + "'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules'", + "-EnableConsoleRepl", + "-StartupBanner", + "PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.", + "-LogLevel", + "'Warning'", + "-LogPath", + "'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell'", + "-SessionDetailsPath", + "'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json'", + "-FeatureFlags", + "@()" + ], + "args_count": 30, + "command_line": "C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()", + "entity_id": "1c251f62-545d-4d71-901e-b3445e459c2c", + "pid": 2349, + "title": "OpsMgr PowerShell Host" + }, + "related": { + "hosts": [ + "DESKTOP-6RJHI71" + ], + "user": [ + "JohnDoe" + ] + }, + "user": { + "domain": "DESKTOP-6RJHI71", + "id": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "name": "JohnDoe" + }, + "winlog": { + "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "host.contoso.com", + "event_id": "4103", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 2349, + "thread": { + "id": 32444 + } + }, + "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "5663677", + "task": "Executing Pipeline", + "user": { + "domain": "DESKTOP-6RJHI71", + "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000", + "name": "JohnDoe", + "type": "User" + }, + "version": 1 + } + }, { "@timestamp": "2024-09-03T15:27:45.847Z", "ecs": { diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index 580a9d4bb1e..fe34b7b7745 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -5,7 +5,7 @@ processors: description: Split Event 4103 event data fields. field: winlog.event_data.ContextInfo target_field: winlog.event_data - field_split: "\n" + field_split: "\\n(?!\\n)\\s+" trim_key: " \n\t" trim_value: " \n\t" value_split: "[:=]" diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 063c49ee1b6..e689d82c095 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 3.2.2 +version: 3.2.3 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: