From 465e2a652a0dac518c5d40b2f8ee2ff00bead5fa Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Sun, 9 Nov 2025 18:13:21 -0300 Subject: [PATCH 1/2] [BugFix] Remove `script_block_signature` - Performance Problems --- packages/windows/changelog.yml | 6 ++++++ ...ershell-operational-events.json-expected.json | 1 - .../ingest_pipeline/powershell_operational.yml | 16 ---------------- .../data_stream/forwarded/fields/fields.yml | 4 ---- .../test/pipeline/test-events.json-expected.json | 1 - .../elasticsearch/ingest_pipeline/default.yml | 16 ---------------- .../powershell_operational/fields/fields.yml | 4 ---- packages/windows/docs/README.md | 1 - packages/windows/manifest.yml | 2 +- 9 files changed, 7 insertions(+), 44 deletions(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 169e2e56cb1..ea59c7e248f 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,10 @@ # newer versions go on top +- version: "3.2.2" + changes: + - description: | + Remove the `script_block_signature` field to improve pipeline performance. + type: bugfix + link: https://github.com/elastic/integrations/pull/ - version: "3.2.1" changes: - description: | diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json index d7f6d9c20f0..71e81b1c8eb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json @@ -308,7 +308,6 @@ "script_block_hash": "r0sdjfD0qsH7ckPwQpUfLLA0Slo=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", "script_block_length": 3350, - "script_block_signature": "MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5BgorBgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLGKX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCANw97w1D+bi5LY8ZEuubcA0tI0Z0h+CImFRYop+IIqQaCCDYEwggX/MIID56ADAgECAhMzAAACUoszqviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD+nC4D7IMA1+6smM7fbSJa7o4BHfyje8PHB3w9GF223mZTG0EhBlultQkMSpV/c889hsbwx16Cr5sY9M/lSRt4oC3qzSuTmYd6VYJ/ILt9ptrpOkaYCiXXRx8Cfz7w53wAu/J8xJjNWvrKxkcc8XiUXPfGGTXujyiS2MqvztBkg6wCduFKqogmvOtQiiwQQxEG6lU/rss27omoTUc41EawOr1km5y+fUS9aoYX9K8NNhFH6TSni3dp/+Hiyif1T7Xg0cBy4yHuYxMmRrFcmGeplW3KhXHfkJjbHaVs1QgnRfkgFuypwF5YoFWrW7Xgj+aZCDKSoYq45E4v0ryIvyu0shBoHQXREAzpBv3L9h5A9vEFQG4alCI57oSbdqJ1YIaggkTQHR2CWdB7FnQilCqqZjSnAtXYZh/RD+PX6fg1UyUUQf5ohnw951pQeKYTYHmFwut+RibzdbHEF/kLZr6SZsDupCv", "script_block_surprisal_stdev": 1.760352963786286, "script_block_text": "###\n# ==++==\n#\n# Copyright (c) Microsoft Corporation. All rights reserved.\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#\n###\n@{\n GUID = \"4ae9fd46-338a-459c-8186-07f910774cb8\"\n Author = \"Microsoft Corporation\"\n CompanyName = \"Microsoft Corporation\"\n Copyright = \"(C) Microsoft Corporation. All rights reserved.\"\n HelpInfoUri = \"https://go.microsoft.com/fwlink/?linkid=2113634\"\n ModuleVersion = \"1.4.8.1\"\n PowerShellVersion = \"3.0\"\n ClrVersion = \"4.0\"\n RootModule = \"PackageManagement.psm1\"\n\tDescription = 'PackageManagement (a.k.a. OneGet) is a new way to discover and install software packages from around the web.\n It is a manager or multiplexor of existing package managers (also called package providers) that unifies Windows package management with a single Windows PowerShell interface. With PackageManagement, you can do the following.\n - Manage a list of software repositories in which packages can be searched, acquired and installed\n - Discover software packages\n - Seamlessly install, uninstall, and inventory packages from one or more software repositories'\n\n CmdletsToExport = @(\n 'Find-Package',\n 'Get-Package',\n 'Get-PackageProvider',\n 'Get-PackageSource',\n 'Install-Package',\n 'Import-PackageProvider'\n 'Find-PackageProvider'\n 'Install-PackageProvider'\n 'Register-PackageSource',\n 'Set-PackageSource',\n 'Unregister-PackageSource',\n 'Uninstall-Package'\n 'Save-Package'\n\t)\n\n\tFormatsToProcess = @('PackageManagement.format.ps1xml')\n\n\tPrivateData = @{\n PSData = @{\n Tags = @('PackageManagement', 'PSEdition_Core', 'PSEdition_Desktop', 'Linux', 'Mac')\n ProjectUri = 'https://oneget.org'\n ReleaseNotes = @'\n## 1.4.8.1\n- Update PackageManagement's strong name signing\n\n## 1.4.8\n- Add NuGet as a source when generating nuget.config file for user in the NuGet Provider\n\n## 1.4.7\n- Update security protocol to use TLS 1.2\n- Remove catalog file\n\n## 1.4.6\n- Update `HelpInfoUri` to point to the latest content\n\n## 1.4.5\n- Bug fix for deadlock when getting parameters in an event\n\n## 1.4.4\n- Bug fix when installing modules from private feeds\n\n ## 1.4.3\n- Another bug fix when registering repositories with PowerShellGet\n\n## 1.4.2\n- Bug fix for passing credentials from PowerShellGet when registering repositories\n\n## 1.4.1\n- Bug fix for using credential provider installed in Visual Studio\n\n## 1.4\n- Allow credential persistance for registering private repositories and finding or installing packages from those repositories\n\n## 1.3.2\n- Enable bootstrap on PSCore\n- Bug fix to run on .NET Core 3.0\n\n## 1.3.1\n- Targets net452 and netstandard2.0 instead of net451, netcoreapp2.0, and netstandard1.6\n \n## Previous releases are not included in this Changelog\n'@\n }\n }\n}\n\n# SIG # Begin signature block\n# MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5Bgor\n# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG\n# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCANw97w1D+bi5LY\n# 8ZEuubcA0tI0Z0h+CImFRYop+IIqQaCCDYEwggX/MIID56ADAgECAhMzAAACUosz\n# qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD\n# +nC4D7IMA1+6smM7fbSJa7o4BHfyje8PHB3w9GF223mZTG0EhBlultQkMSpV/c88\n# 9hsbwx16Cr5sY9M/lSRt4oC3qzSuTmYd6VYJ/ILt9ptrpOkaYCiXXRx8Cfz7w53w\n# Au/J8xJjNWvrKxkcc8XiUXPfGGTXujyiS2MqvztBkg6wCduFKqogmvOtQiiwQQxE\n# G6lU/rss27omoTUc41EawOr1km5y+fUS9aoYX9K8NNhFH6TSni3dp/+Hiyif1T7X\n# g0cBy4yHuYxMmRrFcmGeplW3KhXHfkJjbHaVs1QgnRfkgFuypwF5YoFWrW7Xgj+a\n# ZCDKSoYq45E4v0ryIvyu0shBoHQXREAzpBv3L9h5A9vEFQG4alCI57oSbdqJ1YIa\n# ggkTQHR2CWdB7FnQilCqqZjSnAtXYZh/RD+PX6fg1UyUUQf5ohnw951pQeKYTYHm\n# Fwut+RibzdbHEF/kLZr6SZsDupCv\n# SIG # End signature block", "script_block_unique_symbols": 79 diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml index 1d9415d7fb0..2c2469b5221 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -302,22 +302,6 @@ processors: - trim: field: powershell.file.script_block_text ignore_missing: true - - gsub: - field: powershell.file.script_block_text - target_field: _temp.script_block_signature - pattern: "(?s).+# SIG # Begin signature block" - replacement: "# SIG # Begin signature block" - ignore_missing: true - - dissect: - field: _temp.script_block_signature - pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block" - ignore_missing: true - ignore_failure: true - - gsub: - field: powershell.file.script_block_signature - pattern: "\\n# |\\n" - replacement: "" - ignore_missing: true - gsub: field: powershell.file.script_block_text target_field: _temp.script_block_no_space diff --git a/packages/windows/data_stream/forwarded/fields/fields.yml b/packages/windows/data_stream/forwarded/fields/fields.yml index 81c1ec35563..dc7b83380d9 100644 --- a/packages/windows/data_stream/forwarded/fields/fields.yml +++ b/packages/windows/data_stream/forwarded/fields/fields.yml @@ -141,10 +141,6 @@ Text of the executed script block. example: ".\\a_script.ps1" - - name: script_block_signature - type: keyword - description: > - If present in the script, the script signature. - name: script_block_hash type: keyword diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index bf3de610904..5a074116f4e 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -292,7 +292,6 @@ "script_block_hash": "r0sdjfD0qsH7ckPwQpUfLLA0Slo=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", "script_block_length": 3350, - "script_block_signature": "MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5BgorBgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLGKX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCANw97w1D+bi5LY8ZEuubcA0tI0Z0h+CImFRYop+IIqQaCCDYEwggX/MIID56ADAgECAhMzAAACUoszqviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD+nC4D7IMA1+6smM7fbSJa7o4BHfyje8PHB3w9GF223mZTG0EhBlultQkMSpV/c889hsbwx16Cr5sY9M/lSRt4oC3qzSuTmYd6VYJ/ILt9ptrpOkaYCiXXRx8Cfz7w53wAu/J8xJjNWvrKxkcc8XiUXPfGGTXujyiS2MqvztBkg6wCduFKqogmvOtQiiwQQxEG6lU/rss27omoTUc41EawOr1km5y+fUS9aoYX9K8NNhFH6TSni3dp/+Hiyif1T7Xg0cBy4yHuYxMmRrFcmGeplW3KhXHfkJjbHaVs1QgnRfkgFuypwF5YoFWrW7Xgj+aZCDKSoYq45E4v0ryIvyu0shBoHQXREAzpBv3L9h5A9vEFQG4alCI57oSbdqJ1YIaggkTQHR2CWdB7FnQilCqqZjSnAtXYZh/RD+PX6fg1UyUUQf5ohnw951pQeKYTYHmFwut+RibzdbHEF/kLZr6SZsDupCv", "script_block_surprisal_stdev": 1.760352963786286, "script_block_text": "###\n# ==++==\n#\n# Copyright (c) Microsoft Corporation. All rights reserved.\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#\n###\n@{\n GUID = \"4ae9fd46-338a-459c-8186-07f910774cb8\"\n Author = \"Microsoft Corporation\"\n CompanyName = \"Microsoft Corporation\"\n Copyright = \"(C) Microsoft Corporation. All rights reserved.\"\n HelpInfoUri = \"https://go.microsoft.com/fwlink/?linkid=2113634\"\n ModuleVersion = \"1.4.8.1\"\n PowerShellVersion = \"3.0\"\n ClrVersion = \"4.0\"\n RootModule = \"PackageManagement.psm1\"\n\tDescription = 'PackageManagement (a.k.a. OneGet) is a new way to discover and install software packages from around the web.\n It is a manager or multiplexor of existing package managers (also called package providers) that unifies Windows package management with a single Windows PowerShell interface. With PackageManagement, you can do the following.\n - Manage a list of software repositories in which packages can be searched, acquired and installed\n - Discover software packages\n - Seamlessly install, uninstall, and inventory packages from one or more software repositories'\n\n CmdletsToExport = @(\n 'Find-Package',\n 'Get-Package',\n 'Get-PackageProvider',\n 'Get-PackageSource',\n 'Install-Package',\n 'Import-PackageProvider'\n 'Find-PackageProvider'\n 'Install-PackageProvider'\n 'Register-PackageSource',\n 'Set-PackageSource',\n 'Unregister-PackageSource',\n 'Uninstall-Package'\n 'Save-Package'\n\t)\n\n\tFormatsToProcess = @('PackageManagement.format.ps1xml')\n\n\tPrivateData = @{\n PSData = @{\n Tags = @('PackageManagement', 'PSEdition_Core', 'PSEdition_Desktop', 'Linux', 'Mac')\n ProjectUri = 'https://oneget.org'\n ReleaseNotes = @'\n## 1.4.8.1\n- Update PackageManagement's strong name signing\n\n## 1.4.8\n- Add NuGet as a source when generating nuget.config file for user in the NuGet Provider\n\n## 1.4.7\n- Update security protocol to use TLS 1.2\n- Remove catalog file\n\n## 1.4.6\n- Update `HelpInfoUri` to point to the latest content\n\n## 1.4.5\n- Bug fix for deadlock when getting parameters in an event\n\n## 1.4.4\n- Bug fix when installing modules from private feeds\n\n ## 1.4.3\n- Another bug fix when registering repositories with PowerShellGet\n\n## 1.4.2\n- Bug fix for passing credentials from PowerShellGet when registering repositories\n\n## 1.4.1\n- Bug fix for using credential provider installed in Visual Studio\n\n## 1.4\n- Allow credential persistance for registering private repositories and finding or installing packages from those repositories\n\n## 1.3.2\n- Enable bootstrap on PSCore\n- Bug fix to run on .NET Core 3.0\n\n## 1.3.1\n- Targets net452 and netstandard2.0 instead of net451, netcoreapp2.0, and netstandard1.6\n \n## Previous releases are not included in this Changelog\n'@\n }\n }\n}\n\n# SIG # Begin signature block\n# MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5Bgor\n# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG\n# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCANw97w1D+bi5LY\n# 8ZEuubcA0tI0Z0h+CImFRYop+IIqQaCCDYEwggX/MIID56ADAgECAhMzAAACUosz\n# qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD\n# +nC4D7IMA1+6smM7fbSJa7o4BHfyje8PHB3w9GF223mZTG0EhBlultQkMSpV/c88\n# 9hsbwx16Cr5sY9M/lSRt4oC3qzSuTmYd6VYJ/ILt9ptrpOkaYCiXXRx8Cfz7w53w\n# Au/J8xJjNWvrKxkcc8XiUXPfGGTXujyiS2MqvztBkg6wCduFKqogmvOtQiiwQQxE\n# G6lU/rss27omoTUc41EawOr1km5y+fUS9aoYX9K8NNhFH6TSni3dp/+Hiyif1T7X\n# g0cBy4yHuYxMmRrFcmGeplW3KhXHfkJjbHaVs1QgnRfkgFuypwF5YoFWrW7Xgj+a\n# ZCDKSoYq45E4v0ryIvyu0shBoHQXREAzpBv3L9h5A9vEFQG4alCI57oSbdqJ1YIa\n# ggkTQHR2CWdB7FnQilCqqZjSnAtXYZh/RD+PX6fg1UyUUQf5ohnw951pQeKYTYHm\n# Fwut+RibzdbHEF/kLZr6SZsDupCv\n# SIG # End signature block", "script_block_unique_symbols": 79 diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index 452712f74f0..580a9d4bb1e 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -302,22 +302,6 @@ processors: - trim: field: powershell.file.script_block_text ignore_missing: true - - gsub: - field: powershell.file.script_block_text - target_field: _temp.script_block_signature - pattern: "(?s).+# SIG # Begin signature block" - replacement: "# SIG # Begin signature block" - ignore_missing: true - - dissect: - field: _temp.script_block_signature - pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block" - ignore_missing: true - ignore_failure: true - - gsub: - field: powershell.file.script_block_signature - pattern: "\\n# |\\n" - replacement: "" - ignore_missing: true - gsub: field: powershell.file.script_block_text target_field: _temp.script_block_no_space diff --git a/packages/windows/data_stream/powershell_operational/fields/fields.yml b/packages/windows/data_stream/powershell_operational/fields/fields.yml index 71e2b35db65..64218ab076e 100644 --- a/packages/windows/data_stream/powershell_operational/fields/fields.yml +++ b/packages/windows/data_stream/powershell_operational/fields/fields.yml @@ -102,10 +102,6 @@ Text of the executed script block. example: ".\\a_script.ps1" - - name: script_block_signature - type: keyword - description: > - If present in the script, the script signature. - name: script_block_hash type: keyword diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 69b80b851a5..82b8995ad3f 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -2156,7 +2156,6 @@ An example event for `powershell_operational` looks as following: | powershell.file.script_block_hash | A hash of the script to be used in rules. | keyword | | powershell.file.script_block_id | Id of the executed script block. | keyword | | powershell.file.script_block_length | Total number of characters in the script. | long | -| powershell.file.script_block_signature | If present in the script, the script signature. | keyword | | powershell.file.script_block_surprisal_stdev | Consistency of randomness distribution across the script. Low values indicate uniform randomness. High values indicate mixed patterns with variability. | float | | powershell.file.script_block_text | Text of the executed script block. | text | | powershell.file.script_block_unique_symbols | Number of distinct characters used in the script. | long | diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index a4f8dafe643..063c49ee1b6 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 3.2.1 +version: 3.2.2 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: From 661ccc8243651bd2b0ebd00130bb83756347038b Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Sun, 9 Nov 2025 18:59:26 -0300 Subject: [PATCH 2/2] ++ --- packages/windows/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index ea59c7e248f..823d6fdd23e 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -4,7 +4,7 @@ - description: | Remove the `script_block_signature` field to improve pipeline performance. type: bugfix - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/15907 - version: "3.2.1" changes: - description: |