[Winlogbeat] "Microsoft-Windows-PowerShell/Operational" case sensitive issue

[kowalczyk-p]

I found that just like reported in issue #36670 also "Microsoft-Windows-PowerShell/Operational" channel is sometimes written as "Microsoft-Windows-Power s hell/Operational". This is problem because routing pipeline for Winlogbeat runs valid sub-pipeline only if channel name matches "Microsoft-Windows-PowerShell/Operational" exacly (case sensitive). As result some of important events are not parsed.

Routing pipeline from version 8.8.2:

[
  {
    "set": {
      "field": "event.ingested",
      "value": "{{_ingest.timestamp}}"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-security",
      "if": "ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-sysmon",
      "if": "ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-powershell",
      "if": "ctx?.winlog?.channel == 'Windows PowerShell'"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-powershell_operational",
      "if": "ctx?.winlog?.channel == 'Microsoft-Windows-PowerShell/Operational'"
    }
  }
]

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

This should have been fixed by #36899. That has not been backported, but will be available in 8.12.

[ebeahan]

Issue reported as resolved in #36899 and released in 8.12. If the issue persists in testing with 8.12, please feel free to re-open.