Skip to content

Commit

Permalink
windows/powershell: fix regexp constraints in event 800 parameter det…
Browse files Browse the repository at this point in the history 
…ail processing (#3495)
  • Loading branch information
@efd6
efd6 committed Jun 9, 2022
1 parent 0f30aff commit 0cc27d7
Show file tree
Hide file tree
Showing 5 changed files with 247 additions and 2 deletions.
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.12.2"
changes:
- description: Fix processing of Powershell event 800 parameter details.
type: bugfix
link: https://github.com/elastic/integrations/pull/3495
- version: "1.12.1"
changes:
- description: Drop unset fields in sysmon_operational data stream.
Expand Down
67 changes: 67 additions & 0 deletions packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,73 @@
"host": {
"name": "vagrant"
}
},
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"event": {
"action": "Pipeline Execution Details",
"code": "800",
"kind": "event",
"provider": "PowerShell"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_data": {
"param1": "Import-LocalizedData LocalizedData -filename ArchiveResources",
"param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources",
"param3": "CommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
},
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 1846,
"task": "Pipeline Execution Details"
}
},
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"event": {
"action": "Pipeline Execution Details",
"code": "800",
"kind": "event",
"provider": "PowerShell"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_data": {
"param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=",
"param3": "ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
},
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 1847,
"task": "Pipeline Execution Details"
}
}
]
}
173 changes: 173 additions & 0 deletions packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,179 @@
"provider_name": "PowerShell",
"record_id": "1687"
}
},
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"ecs": {
"version": "8.0.0"
},
"event": {
"action": "Pipeline Execution Details",
"category": "process",
"code": "800",
"kind": "event",
"provider": "PowerShell",
"sequence": 141,
"type": "info"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"powershell": {
"command": {
"invocation_details": [
{
"related_command": "Import-LocalizedData",
"type": "CommandInvocation",
"value": "\"Import-LocalizedData\""
},
{
"name": "\"FileName\"",
"related_command": "Import-LocalizedData",
"type": "ParameterBinding",
"value": "\"ArchiveResources\""
},
{
"name": "\"BindingVariable\"",
"related_command": "Import-LocalizedData",
"type": "ParameterBinding",
"value": "\"LocalizedData\""
},
{
"related_command": "Import-LocalizedData",
"type": "NonTerminatingError",
"value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
}
],
"value": "Import-LocalizedData LocalizedData -filename ArchiveResources"
},
"engine": {
"version": "5.1.17763.1007"
},
"pipeline_id": "71",
"process": {
"executable_version": "5.1.17763.1007"
},
"runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf",
"sequence": 1,
"total": 1
},
"process": {
"args": [
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"-noexit",
"-command",
"'C:\\Gopath\\src\\github.com\\elastic\\beats'"
],
"args_count": 4,
"command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'",
"entity_id": "aae5217d-054f-435f-9968-4b5bebf12116",
"title": "ConsoleHost"
},
"related": {
"user": [
"vagrant"
]
},
"user": {
"domain": "VAGRANT",
"name": "vagrant"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "1846",
"task": "Pipeline Execution Details"
}
},
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"ecs": {
"version": "8.0.0"
},
"event": {
"action": "Pipeline Execution Details",
"category": "process",
"code": "800",
"kind": "event",
"provider": "PowerShell",
"sequence": 143,
"type": "info"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"powershell": {
"command": {
"invocation_details": [
{
"name": "\"InputObject\"",
"related_command": "Out-Default",
"type": "ParameterBinding",
"value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
}
]
},
"engine": {
"version": "5.1.17763.1007"
},
"pipeline_id": "71",
"process": {
"executable_version": "5.1.17763.1007"
},
"runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf",
"sequence": 1,
"total": 1
},
"process": {
"args": [
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"-noexit",
"-command",
"'C:\\Gopath\\src\\github.com\\elastic\\beats'"
],
"args_count": 4,
"command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'",
"entity_id": "aae5217d-054f-435f-9968-4b5bebf12116",
"title": "ConsoleHost"
},
"related": {
"user": [
"vagrant"
]
},
"user": {
"domain": "VAGRANT",
"name": "vagrant"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "1847",
"task": "Pipeline Execution Details"
}
}
]
}
2 changes: 1 addition & 1 deletion packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ processors:
field: param3
source: |-
def parseRawDetail(String raw) {
Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/;
Pattern detailRegex = /^([^:(]+)\((.+)\)\:\s*(.+)?$/;
Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
def matcher = detailRegex.matcher(raw);
Expand Down
2 changes: 1 addition & 1 deletion packages/windows/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: windows
title: Windows
version: 1.12.1
version: 1.12.2
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit 0cc27d7

Please sign in to comment.