Winlogbeat: fix powershell unprefixed fields in fields.yml

Closes elastic#18984
marc-gr · Jun 5, 2020 · 50fae6d · 50fae6d
1 parent 00d367b
commit 50fae6d
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 11 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
 - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526]
 - Fix Powershell processing of downgraded engine events. {pull}18966[18966]
+- Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984]
 
 *Functionbeat*
 

diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -7484,7 +7484,7 @@ These are the event fields specific to the module for the Microsoft-Windows-Powe
 
 
 
-*`id`*::
+*`powershell.id`*::
 +
 --
 Shell Id.
@@ -7495,7 +7495,7 @@ example: Microsoft Powershell
 
 --
 
-*`pipeline_id`*::
+*`powershell.pipeline_id`*::
 +
 --
 Pipeline id.
@@ -7506,7 +7506,7 @@ example: 1
 
 --
 
-*`runspace_id`*::
+*`powershell.runspace_id`*::
 +
 --
 Runspace id.
@@ -7517,7 +7517,7 @@ example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
 
 --
 
-*`sequence`*::
+*`powershell.sequence`*::
 +
 --
 Sequence number of the powershell execution.
@@ -7528,7 +7528,7 @@ example: 1
 
 --
 
-*`total`*::
+*`powershell.total`*::
 +
 --
 Total number of messages in the sequence.

diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml
@@ -5,27 +5,27 @@
   release: beta
   fields:
 
-    - name: id
+    - name: powershell.id
       type: keyword
       description: Shell Id.
       example: Microsoft Powershell
 
-    - name: pipeline_id
+    - name: powershell.pipeline_id
       type: keyword
       description: Pipeline id.
       example: "1"
 
-    - name: runspace_id
+    - name: powershell.runspace_id
       type: keyword
       description: Runspace id.
       example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb"
 
-    - name: sequence
+    - name: powershell.sequence
       type: long
       description: Sequence number of the powershell execution.
       example: 1
 
-    - name: total
+    - name: powershell.total
       type: long
       description: Total number of messages in the sequence.
       example: 10

diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go