From 0108734630beccaa2695bb1d84202ba116314bad Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 5 Jun 2020 15:26:01 +0200 Subject: [PATCH] Winlogbeat: fix powershell unprefixed fields in fields.yml (#19003) Closes #18984 (cherry picked from commit 498c7cebd220380dbd4ca610b10bc1946d92d86a) --- CHANGELOG.next.asciidoc | 1 + winlogbeat/docs/fields.asciidoc | 10 +++++----- x-pack/winlogbeat/module/powershell/_meta/fields.yml | 10 +++++----- x-pack/winlogbeat/module/powershell/fields.go | 2 +- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d14d74a72454..79f1c36e1086 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364] - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] - Fix Powershell processing of downgraded engine events. {pull}18966[18966] +- Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984] *Functionbeat* diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 8f54133b3b4a..aa8fb9762d9f 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -7482,7 +7482,7 @@ These are the event fields specific to the module for the Microsoft-Windows-Powe -*`id`*:: +*`powershell.id`*:: + -- Shell Id. @@ -7493,7 +7493,7 @@ example: Microsoft Powershell -- -*`pipeline_id`*:: +*`powershell.pipeline_id`*:: + -- Pipeline id. @@ -7504,7 +7504,7 @@ example: 1 -- -*`runspace_id`*:: +*`powershell.runspace_id`*:: + -- Runspace id. @@ -7515,7 +7515,7 @@ example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb -- -*`sequence`*:: +*`powershell.sequence`*:: + -- Sequence number of the powershell execution. @@ -7526,7 +7526,7 @@ example: 1 -- -*`total`*:: +*`powershell.total`*:: + -- Total number of messages in the sequence. diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml index b1aba35a1803..7507fcc099c0 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/fields.yml +++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml @@ -5,27 +5,27 @@ release: beta fields: - - name: id + - name: powershell.id type: keyword description: Shell Id. example: Microsoft Powershell - - name: pipeline_id + - name: powershell.pipeline_id type: keyword description: Pipeline id. example: "1" - - name: runspace_id + - name: powershell.runspace_id type: keyword description: Runspace id. example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" - - name: sequence + - name: powershell.sequence type: long description: Sequence number of the powershell execution. example: 1 - - name: total + - name: powershell.total type: long description: Total number of messages in the sequence. example: 10 diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go index 928c8c2172c3..aa20352042db 100644 --- a/x-pack/winlogbeat/module/powershell/fields.go +++ b/x-pack/winlogbeat/module/powershell/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPowershell returns asset data. // This is the base64 encoded gzipped contents of module/powershell. func AssetPowershell() string { - return "eJy8V0Fv6zYMvudXEO9ur2nT1yWHB3Rv2BBga4u26y4BAtqiY62y5Ely0uzXD5LsNK7tNUmL9VAgFsXvI/mRtCN4pu0MSrUhbXISYgRguRU0gzv37ME9g0KxStAIgJFJNS8tV3IG30YAAI85GQLUBDYnoDVJCxknwQyYklKe8RSs8ofBDWRK+5+/81QrozIb/cklUxsTvUL+cFuSRoeDAlAyqE32WQm1MvEIQJMgNDSDhCyOoEafjTy9CCQWNAPO/E8Auy1p5qLeKN08a4UVnM9ZXB/SCxalS8iObyAR0tUCKXlJgktaHo52V18B3gX8Mv7S9q8raUpMj/F/X1/p9T/JcHp2NWHR5BKTaEKXF9F0PL2MaDqe/jjG9DxJkjcUDP1dkUyphS+UXPWmsjYGWRUJaVCZL/yr2oBeKK2ccYfcuI1rlUVxEOijs9xDLMgYXJEBLj16E0EX8exNNXc041QVBcp20ldaVWUfgZ/RohMlWmKN9EOcxKD21IA3WoX6b4eNNt897C9zV0po8ybFQ3jt+n+fLRZ1Yy0WZmssFRfni0VasJheqK78Pi33/1haN1jQcbSG8R3gsfiP2/I4/OuyFDz1w6fLYI2i6lKw9GIH8XMCLtfq+R3YeVEqbaPfVIqC/0PMywjaP6OMC3JE4FqnOV/TPRlV6ZRMl6nDDFEsGVnkwnRoo9a4HeL9be8A4FoGa5dJlfxFqTWQKmmRSy5XEBCIAZeZ0oWHHU76AVzjk0qdkzd0yMFPb6a/Bx7zHehBhOqOXrZnwVHc6qtuKGxynuY+PcE/cLM3M/p1yVjkxHwQ21M6tV3xWym2UBlifmHfocaCLOmfuGSvFfeOY5hL5jqGTJjvja2n1x+LMVQkYuuGw0HxHN937Whc+r2PRpW1PvxBQehVrDLgFjZcCGBUkmSg5H6NfLB94Tz42RnPb+Pvqig1GeNW2i9cUDj5j8UiJaVOVpUhffp+2flxFdPNWpWr+vCgncNUgVweK5o/HF642puap+tf769vHj9nl3iwQVGtcaVR2sFkk1xxSacnee/dM7h6L6Nr0k4Ix0b5FK41Su3ANn5Dd1rVTNi+YrcS9OUyHsfjq6uvF/H47OyqZ8GWmtZcVWZpLNoPDpC72hd4X4PR9M+HNXKBiegZDpI2n8HuhjanEHuwqiyJDWrMLehPeE0MduC8vSeyYLpMhEqfXz8MDs7KnHX2dA3uPQ7o6Iyds4RhdHXxdRxNpudfI5xOWMSmhCxjyeQiwx51tai+md1HD3R6sScwjxcLXAazuDRvP7D2CllqlZIxcfDtpLhst/O7n15v2rju3VwZP5hr//Dqv/t91tuu/VzXnH1kf3RnjOP5nvT+h1ZsQuufEqnl674R8eGXn7sadnjZPKHmfkD9GwAA//9fhizL" + return "eJy8V1FP6zgTfe+vGPGefBQKfO3DlVhWu6q0CwhY9qVSNYknjRfHztpOS/fXr2wn0Nwkl7ag5QGpsT3nzPjMmSSCF9rOoFQb0iYnIUYAlltBM7h3zx7dMygUqwSNABiZVPPSciVn8G0EAPCUkyFATWBzAlqTtJBxEsyAKSnlGU/BKr8YwkCmtP/5O0+1Miqz0Z9cMrUx0Tvk/+5K0uhwUABKBvWWXVZCrUw8AtAkCA3NICGLI6jRZyNPLwKJBe1mGHPmVwDstqSZK8BG6eZZK8OAM2dxvUivWJSuNm/UA59QuSG8kpckuKTl/sD39RHgXeyT8ckglK6kKTE9BOqhPtILNclweno1YdHkApNoQhfn0XQ8vYhoOp7+f4zpWZIkw2wM/V2RTKlFRSi56q11vRlkVSSkQWVeJO/hgF4prdzmDs/xIAWrLIq98J/czh3wgozBFRng0hNpkumCnw6ip6ooULavYqVVVfYR+BktOi2jJdZ0TEiZGNSRGvBG4lD/vWGjzd8e9l9+V2to86baQ3htVdzMFou6HxcLszWWivOzxSItWEyvVOthl5b7fyitWyzoMFrD+A7wUPynbXkY/nVZCp56z+oyWKOouhQsvdpB/JyAy7V6+QB2XpRK2+g3laLg/xDzMoL2zyjjghwRuNZpztf0QEZVOiXTZeowQxZLRha5MB3aqDVuh3h/21kAuJZht6ukSv6i1BpIlbTIJZcrCAjEgMtM6cLDDhd9D67xUVedk9/okEOc3krfBB7zN9C9CNUdvWx7wUHc6qPOFDY5T3NfnhAfuNnxjH5dMhY5Me/F9phObd/4nRRbqAwxP+fvUWNBlvRPXLL3G/eBY5hL5jqGTLD6Zq+n15+LMVQkYuvMYa98Du+7djau/D5Go8paH36hIPQqVhlwCxsuBDAqSTJQcveOfLJ96Tx674znd/GNKkpNxrjp9gsXFFZ+MFikpNTJqjKkj58vb3HcjelmwspVvbjXzGGqQC4PFc0fDi8c7S3N8/WvD9e3T18zSzzYoKjWuNIo7WCxSa64pOOLvPPKGkJ9VNE1aSeEQ7N8DscapXZgm7ihO61qHLbvslsFOrmIx/H46uryPB6fnl71DNhS05qryiyNRftJA7mvY4GPNZhNvz+skQtMRI85SNp8Bbtb2hxD7NGqsiQ2qDE3oL/gNTHsAxftI5GFrctEqPTl/XNh76rMWWdO1+A+4oCOTtkZSxhGV+eX42gyPbuMcDphEZsSsowlk/MMe9TVovqddx9s6PRqj2AeLxa4DNvi0vzgC6zUKiVj4hDbSXHZbucPP8i+a+O6d3NlvDHX8eE9fverrbdd+7muOfvM/Oh6jOP5kfT+g1ZsUut3idTydZ9FfPrl576GHR42z6i5N6h/AwAA///IlkMK" }