[windows] Add script block hash and signature to powershell pipelines

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.45.0"
+  changes:
+    - description: Add powershell.file.script_block_hash and powershell.file.script_block_signature fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10044
 - version: "1.44.5"
   changes:
     - description: Fix splitting of parameters for event 600 where it can hold multiline values in parameters.

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json

@@ -248,6 +248,7 @@
             },
             "powershell": {
                 "file": {
+                    "script_block_hash": "64TcviMSSJ/OdhiN8lVcBQeKWDU=",
                     "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa",
                     "script_block_text": ".\\patata.ps1"
                 },

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json

@@ -148,7 +148,7 @@
                 "event_data": {
                     "MessageNumber": "1",
                     "MessageTotal": "1",
-                    "ScriptBlockText": ".\\patata.ps1",
+                    "ScriptBlockText": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1",
                     "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa"
                 },
                 "provider_name": "Microsoft-Windows-PowerShell",

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json

@@ -248,8 +248,10 @@
             },
             "powershell": {
                 "file": {
+                    "script_block_hash": "GDs0QECaJqoAYuKAnsifUYS309U=",
                     "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa",
-                    "script_block_text": ".\\patata.ps1"
+                    "script_block_signature": "MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQBgjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNRAgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAyMDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n",
+                    "script_block_text": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1"
                 },
                 "sequence": 1,
                 "total": 1

packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml

@@ -290,6 +290,30 @@ processors:
       ignore_failure: true
       ignore_missing: true
       if: ctx?.winlog?.event_data?.ScriptBlockText != ""
+  - trim:
+      field: powershell.file.script_block_text
+      ignore_missing: true
+  - dissect:
+      field: powershell.file.script_block_text
+      pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block"
+      ignore_missing: true
+      ignore_failure: true
+  - gsub:
+      field: powershell.file.script_block_signature
+      pattern: "\\n# "
+      replacement: ""
+      ignore_missing: true
+  - gsub:
+      field: powershell.file.script_block_text
+      target_field: _temp.script_block_no_space
+      pattern: "\\s"
+      replacement: ""
+      ignore_missing: true
+  - fingerprint:
+      fields:
+        - _temp.script_block_no_space
+      target_field: powershell.file.script_block_hash
+      ignore_missing: true
 
   - split:
       description: Split Event 4103 command invocation details.

packages/windows/data_stream/forwarded/fields/fields.yml

@@ -145,6 +145,16 @@
         Text of the executed script block.
 
       example: ".\\a_script.ps1"
+    - name: script_block_signature
+      type: keyword
+      description: >
+        If present in the script, the script signature.
+
+    - name: script_block_hash
+      type: keyword
+      description: >
+        A hash of the script to be used in rules.
+
 - name: powershell.process.executable_version
   type: keyword
   description: Version of the engine hosting process executable.

packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json

@@ -148,7 +148,7 @@
                 "event_data": {
                     "MessageNumber": "1",
                     "MessageTotal": "1",
-                    "ScriptBlockText": ".\\patata.ps1",
+                    "ScriptBlockText": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1",
                     "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa"
                 },
                 "provider_name": "Microsoft-Windows-PowerShell",

packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json

@@ -232,8 +232,10 @@
             },
             "powershell": {
                 "file": {
+                    "script_block_hash": "GDs0QECaJqoAYuKAnsifUYS309U=",
                     "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa",
-                    "script_block_text": ".\\patata.ps1"
+                    "script_block_signature": "MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQBgjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNRAgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAyMDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n",
+                    "script_block_text": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1"
                 },
                 "sequence": 1,
                 "total": 1

packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml

@@ -290,6 +290,30 @@ processors:
       ignore_failure: true
       ignore_missing: true
       if: ctx?.winlog?.event_data?.ScriptBlockText != ""
+  - trim:
+      field: powershell.file.script_block_text
+      ignore_missing: true
+  - dissect:
+      field: powershell.file.script_block_text
+      pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block"
+      ignore_missing: true
+      ignore_failure: true
+  - gsub:
+      field: powershell.file.script_block_signature
+      pattern: "\\n# "
+      replacement: ""
+      ignore_missing: true
+  - gsub:
+      field: powershell.file.script_block_text
+      target_field: _temp.script_block_no_space
+      pattern: "\\s"
+      replacement: ""
+      ignore_missing: true
+  - fingerprint:
+      fields:
+        - _temp.script_block_no_space
+      target_field: powershell.file.script_block_hash
+      ignore_missing: true
 
   - split:
       description: Split Event 4103 command invocation details.

packages/windows/data_stream/powershell_operational/fields/fields.yml

@@ -106,6 +106,16 @@
         Text of the executed script block.
 
       example: ".\\a_script.ps1"
+    - name: script_block_signature
+      type: keyword
+      description: >
+        If present in the script, the script signature.
+
+    - name: script_block_hash
+      type: keyword
+      description: >
+        A hash of the script to be used in rules.
+
 - name: powershell.process.executable_version
   type: keyword
   description: Version of the engine hosting process executable.

packages/windows/docs/README.md

@@ -2107,7 +2107,9 @@ An example event for `powershell_operational` looks as following:
 | powershell.engine.new_state | New state of the PowerShell engine. | keyword |
 | powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword |
 | powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword |
+| powershell.file.script_block_hash | A hash of the script to be used in rules. | keyword |
 | powershell.file.script_block_id | Id of the executed script block. | keyword |
+| powershell.file.script_block_signature | If present in the script, the script signature. | keyword |
 | powershell.file.script_block_text | Text of the executed script block. | text |
 | powershell.id | Shell Id. | keyword |
 | powershell.pipeline_id | Pipeline id. | keyword |

packages/windows/manifest.yml

@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.44.5
+version: 1.45.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: