From 635c0236f2dc3c434e4196efb8652855eaf667dc Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Thu, 31 Mar 2022 19:48:19 +1100 Subject: [PATCH 1/6] Add support to process string and binary data types for registry values --- .../data_stream/forwarded/sample_event.json | 15 +- .../pipeline/test-events.json-expected.json | 330 +++++------ .../data_stream/powershell/sample_event.json | 15 +- .../pipeline/test-events.json-expected.json | 328 +++++------ .../powershell_operational/sample_event.json | 15 +- .../_dev/test/pipeline/test-events.json | 304 ++++++++++- .../pipeline/test-events.json-expected.json | 516 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 48 +- .../sysmon_operational/sample_event.json | 13 +- 9 files changed, 1213 insertions(+), 371 deletions(-) diff --git a/packages/windows/data_stream/forwarded/sample_event.json b/packages/windows/data_stream/forwarded/sample_event.json index 33ffd9fa42b..2b6f02eb4a4 100644 --- a/packages/windows/data_stream/forwarded/sample_event.json +++ b/packages/windows/data_stream/forwarded/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "f883378c-95a9-4517-b5b8-249266a41a95", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "17601e61-e945-4f5c-aec5-4a2d491f3b00", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.forwarded", @@ -16,17 +17,17 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2022-01-12T05:23:24.033Z", + "created": "2022-03-31T08:40:37.999Z", "dataset": "windows.forwarded", - "ingested": "2022-01-12T05:23:25Z", + "ingested": "2022-03-31T08:40:39Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index cf627331c69..e78dee3f57d 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -1,121 +1,175 @@ { "expected": [ { + "@timestamp": "2020-05-13T13:21:43.183Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "process", + "code": "600", + "ingested": "2022-03-31T08:44:05.709674800Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, "process": { "args": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Users\\vagrant\\Desktop\\lateral.ps1" ], "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", - "title": "Windows PowerShell ISE Host", - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1" + "title": "Windows PowerShell ISE Host" }, - "@timestamp": "2020-05-13T13:21:43.183Z", + "tags": [ + "forwarded" + ], "winlog": { "channel": "Windows PowerShell", "computer_name": "vagrant", - "record_id": "1089", "event_id": "600", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "1089" + } + }, + { + "@timestamp": "2020-05-14T07:00:30.891Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "400", + "ingested": "2022-03-31T08:44:05.709684500Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 13, + "type": "start" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "information" }, "powershell": { - "pipeline_id": "15", - "process": { - "executable_version": "5.1.17763.1007" - }, - "provider": { - "name": "Certificate", - "new_state": "Started" - }, "engine": { + "new_state": "Available", + "previous_state": "None", "version": "5.1.17763.1007" }, - "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" - }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 35, - "ingested": "2022-01-12T05:21:30.519545468Z", - "code": "600", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" }, - "tags": [ - "forwarded" - ] - }, - { "process": { "args": [ "C:\\Windows\\system32\\wsmprovhost.exe", "-Embedding" ], "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + "title": "ServerRemoteHost" }, - "@timestamp": "2020-05-14T07:00:30.891Z", + "tags": [ + "forwarded" + ], "winlog": { "channel": "Windows PowerShell", "computer_name": "vagrant", - "record_id": "1492", "event_id": "400", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "1492" + } + }, + { + "@timestamp": "2020-02-26T09:37:40.487Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "800", + "ingested": "2022-03-31T08:44:05.709689Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 17, + "type": "info" + }, + "file": { + "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", + "extension": "psm1", + "name": "Microsoft.PowerShell.Archive.psm1", + "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" + }, + "host": { + "name": "vagrant-2019" + }, "log": { "level": "information" }, "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Add-Type", + "type": "CommandInvocation", + "value": "\"Add-Type\"" + }, + { + "name": "\"AssemblyName\"", + "related_command": "Add-Type", + "type": "ParameterBinding", + "value": "\"System.IO.Compression.FileSystem\"" + } + ], + "value": " Add-Type -AssemblyName System.IO.Compression.FileSystem" + }, "engine": { - "new_state": "Available", - "version": "5.1.17763.1007", - "previous_state": "None" + "version": "5.1.17763.1007" }, + "pipeline_id": "1", "process": { - "executable_version": "1.0.0.0" + "executable_version": "5.1.17763.1007" }, - "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" - }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 13, - "ingested": "2022-01-12T05:21:30.519547354Z", - "code": "400", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "start" + "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", + "sequence": 1, + "total": 1 }, - "tags": [ - "forwarded" - ] - }, - { "process": { "args": [ "powershell", @@ -137,141 +191,87 @@ "}" ], "args_count": 17, + "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }", "entity_id": "ac3c99ce-7983-4996-807e-6a689eaba50b", - "title": "ConsoleHost", - "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }" - }, - "winlog": { - "channel": "Windows PowerShell", - "computer_name": "vagrant-2019", - "record_id": "191", - "event_id": "800", - "keywords": [ - "Classic" - ], - "provider_name": "PowerShell" - }, - "log": { - "level": "information" - }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-02-26T09:37:40.487Z", - "file": { - "name": "Microsoft.PowerShell.Archive.psm1", - "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1", - "extension": "psm1", - "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" - }, - "ecs": { - "version": "8.0.0" + "title": "ConsoleHost" }, "related": { "user": [ "vagrant" ] }, - "powershell": { - "sequence": 1, - "total": 1, - "process": { - "executable_version": "5.1.17763.1007" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", - "pipeline_id": "1", - "command": { - "value": " Add-Type -AssemblyName System.IO.Compression.FileSystem", - "invocation_details": [ - { - "related_command": "Add-Type", - "type": "CommandInvocation", - "value": "\"Add-Type\"" - }, - { - "related_command": "Add-Type", - "name": "\"AssemblyName\"", - "type": "ParameterBinding", - "value": "\"System.IO.Compression.FileSystem\"" - } - ] - } - }, - "host": { - "name": "vagrant-2019" - }, - "event": { - "sequence": 17, - "ingested": "2022-01-12T05:21:30.519547795Z", - "code": "800", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "info" - }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", - "domain": "VAGRANT-2019" - } - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" - ], - "args_count": 1, - "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", - "title": "Windows PowerShell ISE Host", - "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + "domain": "VAGRANT-2019", + "name": "vagrant" }, - "@timestamp": "2020-05-14T15:31:22.426Z", "winlog": { "channel": "Windows PowerShell", - "computer_name": "vagrant", - "record_id": "1687", - "event_id": "403", + "computer_name": "vagrant-2019", + "event_id": "800", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "191" + } + }, + { + "@timestamp": "2020-05-14T15:31:22.426Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "403", + "ingested": "2022-03-31T08:44:05.709693900Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 33, + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "information" }, "powershell": { "engine": { "new_state": "Stopped", - "version": "5.1.17763.1007", - "previous_state": "Available" + "previous_state": "Available", + "version": "5.1.17763.1007" }, "process": { "executable_version": "5.1.17763.1007" }, "runspace_id": "6f14a54e-5992-42dd-b38c-68830a28b1b6" }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 33, - "ingested": "2022-01-12T05:21:30.519548146Z", - "code": "403", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "end" + "process": { + "args": [ + "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", + "title": "Windows PowerShell ISE Host" }, "tags": [ "forwarded" - ] + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1687" + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell/sample_event.json b/packages/windows/data_stream/powershell/sample_event.json index f9cf2b3a7d2..45e597cfcc4 100644 --- a/packages/windows/data_stream/powershell/sample_event.json +++ b/packages/windows/data_stream/powershell/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2020-05-13T13:21:43.183Z", "agent": { - "ephemeral_id": "db81e0aa-51b2-4036-9ece-f3c8979be9f8", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.powershell", @@ -16,17 +17,17 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", "category": "process", "code": "600", - "created": "2022-01-12T05:24:01.636Z", + "created": "2022-03-31T08:41:12.816Z", "dataset": "windows.powershell", - "ingested": "2022-01-12T05:24:02Z", + "ingested": "2022-03-31T08:41:16Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index 612147902d9..f15bce018e8 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -2,126 +2,85 @@ "expected": [ { "@timestamp": "2020-05-13T09:04:04.755Z", - "winlog": { - "computer_name": "vagrant", - "record_id": "790", - "process": { - "pid": 4204, - "thread": { - "id": 1476 - } - }, - "event_id": "4105", - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, - "user": { - "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623", - "file": { - "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:21:31.956824087Z", + "category": "process", "code": "4105", + "ingested": "2022-03-31T08:44:06.320067600Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "start" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, "tags": [ "forwarded" - ] - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3885", + "event_id": "4105", "process": { - "pid": 3984, + "pid": 4204, "thread": { - "id": 3616 + "id": 1476 } }, - "event_id": "4103", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "790", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - "log": { - "level": "information" - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:11:47.897Z", "destination": { "user": { - "name": "vagrant", - "domain": "VAGRANT" - } - }, - "source": { - "user": { - "name": "vagrant", - "domain": "VAGRANT" + "domain": "VAGRANT", + "name": "vagrant" } }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] + "event": { + "category": "process", + "code": "4103", + "ingested": "2022-03-31T08:44:06.320074100Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" }, "powershell": { - "pipeline_id": "1", - "process": { - "executable_version": "1.0.0.0" - }, - "id": "Microsoft.PowerShell", - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e", "command": { - "name": "cmd.exe", - "path": "C:\\Windows\\system32\\cmd.exe", "invocation_details": [ { "related_command": "cmd.exe", @@ -134,139 +93,180 @@ "value": "\"Out-Null\"" }, { - "related_command": "Out-Null", "name": "\"InputObject\"", + "related_command": "Out-Null", "type": "ParameterBinding", "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" } ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", "type": "Application" - } + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" }, - "host": { - "name": "vagrant" + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" }, - "event": { - "sequence": 34, - "ingested": "2022-01-12T05:21:31.956826585Z", - "code": "4103", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - { - "@timestamp": "2020-05-13T10:40:32.595Z", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "933", + "event_id": "4103", "process": { - "pid": 4776, + "pid": 3984, "thread": { - "id": 5092 + "id": 3616 } }, - "event_id": "4106", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "3885", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-13T10:40:32.595Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "4106", + "ingested": "2022-03-31T08:44:06.320078300Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "verbose" }, "powershell": { - "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332", "file": { "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:21:31.956827079Z", - "code": "4106", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "end" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "tags": [ + "forwarded" + ], "user": { "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-05-14T11:33:51.389Z", "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3580", + "event_id": "4106", "process": { - "pid": 4844, + "pid": 4776, "thread": { - "id": 4428 + "id": 5092 } }, - "event_id": "4104", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "933", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.389Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "sequence": 1, - "total": 1, - "file": { - "script_block_text": ".\\patata.ps1", - "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:21:31.956827494Z", + "category": "process", "code": "4104", + "ingested": "2022-03-31T08:44:06.320084900Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "info" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 }, "tags": [ "forwarded" - ] + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3580", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell_operational/sample_event.json b/packages/windows/data_stream/powershell_operational/sample_event.json index 96c881d9412..51586bda915 100644 --- a/packages/windows/data_stream/powershell_operational/sample_event.json +++ b/packages/windows/data_stream/powershell_operational/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "bbdc83ce-5df6-4729-b8e9-0185b6ab66f6", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.powershell_operational", @@ -16,17 +17,17 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2022-01-12T05:24:36.653Z", + "created": "2022-03-31T08:41:48.560Z", "dataset": "windows.powershell_operational", - "ingested": "2022-01-12T05:24:37Z", + "ingested": "2022-03-31T08:41:49Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 7d664674210..d2bbf1d7f18 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -8656,6 +8656,306 @@ }, "version": 5 } - } + }, + { + "@timestamp": "2022-03-31T06:21:03.771Z", + "event": { + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "13241300x80000000000000009334Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:21:03.765{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORDQWORD (0x00000000-0x1234fabd)VAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:21:03.765\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\r\nDetails: QWORD (0x00000000-0x1234fabd)\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:21:05.221Z", + "code": "13", + "dataset": "windows.sysmon_operational" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_data": { + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD", + "Details": "QWORD (0x00000000-0x1234fabd)", + "Image": "C:\\Windows\\regedit.exe", + "User": "VAGRANT\\vagrant", + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:21:03.765", + "ProcessId": "5816", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "record_id": 9334, + "event_id": "13", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "Registry value set (rule: RegistryEvent)", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "version": 2, + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "opcode": "Info", + "computer_name": "vagrant" + } + }, + { + "@timestamp": "2022-03-31T06:39:22.648Z", + "winlog": { + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "user": { + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User" + }, + "process": { + "thread": { + "id": 3720 + }, + "pid": 2876 + }, + "opcode": "Info", + "channel": "Microsoft-Windows-Sysmon/Operational", + "record_id": 9366, + "task": "Registry value set (rule: RegistryEvent)", + "provider_name": "Microsoft-Windows-Sysmon", + "event_id": "13", + "version": 2, + "event_data": { + "RuleName": "UACMe Dir Prep", + "Details": "abcd", + "EventType": "SetValue", + "ProcessId": "5816", + "Image": "C:\\Windows\\regedit.exe", + "UtcTime": "2022-03-31 06:39:22.643", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1", + "User": "VAGRANT\\vagrant", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "computer_name": "vagrant" + }, + "event": { + "dataset": "windows.sysmon_operational", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:39:24.670Z", + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "13241300x80000000000000009366Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:39:22.643{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1abcdVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:22.643\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\r\nDetails: abcd\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info" + }, + "log": { + "level": "information" + } + }, + { + "@timestamp": "2022-03-31T06:39:36.303Z", + "winlog": { + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_id": "13", + "computer_name": "vagrant", + "opcode": "Info", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 9370, + "task": "Registry value set (rule: RegistryEvent)", + "event_data": { + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:39:36.298", + "Details": "DWORD (0x12349abc)", + "User": "VAGRANT\\vagrant", + "ProcessId": "5816", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "Image": "C:\\Windows\\regedit.exe" + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "api": "wineventlog", + "version": 2 + }, + "log": { + "level": "information" + }, + "event": { + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "dataset": "windows.sysmon_operational", + "original": "13241300x80000000000000009370Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:39:36.298{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORDDWORD (0x12349abc)VAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:36.298\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\r\nDetails: DWORD (0x12349abc)\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:39:37.779Z" + } + }, + { + "@timestamp": "2022-03-31T06:40:11.539Z", + "winlog": { + "event_id": "13", + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_data": { + "User": "VAGRANT\\vagrant", + "Details": "Binary Data", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING", + "EventType": "SetValue", + "ProcessId": "5816", + "Image": "C:\\Windows\\regedit.exe", + "UtcTime": "2022-03-31 06:40:11.534", + "RuleName": "UACMe Dir Prep" + }, + "record_id": 9375, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "version": 2, + "computer_name": "vagrant", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "opcode": "Info", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "Registry value set (rule: RegistryEvent)" + }, + "event": { + "code": "13", + "dataset": "windows.sysmon_operational", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "13241300x80000000000000009375Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:40:11.534{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRINGBinary DataVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:11.534\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:40:13.047Z" + }, + "log": { + "level": "information" + } + }, + { + "@timestamp": "2022-03-31T06:40:38.118Z", + "log": { + "level": "information" + }, + "winlog": { + "task": "Registry value set (rule: RegistryEvent)", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "opcode": "Info", + "event_data": { + "User": "VAGRANT\\vagrant", + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:40:38.113", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "ProcessId": "5816", + "Details": "Binary Data", + "Image": "C:\\Windows\\regedit.exe", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Sysmon", + "version": 2, + "user": { + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User" + }, + "event_id": "13", + "record_id": 9379 + }, + "event": { + "original": "13241300x80000000000000009379Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:40:38.113{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUEBinary DataVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:38.113\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", + "action": "Registry value set (rule: RegistryEvent)", + "dataset": "windows.sysmon_operational", + "created": "2022-03-31T06:40:39.262Z", + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon" + } + }, + { + "@timestamp": "2022-03-31T06:41:01.551Z", + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "provider_name": "Microsoft-Windows-Sysmon", + "event_id": "13", + "opcode": "Info", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18" + }, + "version": 2, + "event_data": { + "RuleName": "UACMe Dir Prep", + "Image": "C:\\Windows\\regedit.exe", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:41:01.546", + "ProcessId": "5816", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR", + "Details": "*.dll expanded", + "User": "VAGRANT\\vagrant", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "record_id": 9384 + }, + "event": { + "provider": "Microsoft-Windows-Sysmon", + "original": "13241300x80000000000000009384Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:41:01.546{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR*.dll expandedVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:41:01.546\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\r\nDetails: *.dll expanded\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", + "action": "Registry value set (rule: RegistryEvent)", + "dataset": "windows.sysmon_operational", + "created": "2022-03-31T06:41:03.491Z", + "code": "13", + "kind": "event" + }, + "log": { + "level": "information" + } + } ] -} \ No newline at end of file +} diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index bc22503238e..6cb5044ddf0 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -1820,6 +1820,12 @@ "pid": 4320 }, "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, "hive": "HKU", "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", @@ -2136,6 +2142,12 @@ "pid": 4320 }, "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, "hive": "HKU", "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", @@ -21048,6 +21060,12 @@ "pid": 4320 }, "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, "hive": "HKU", "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", @@ -21484,6 +21502,504 @@ }, "version": 5 } + }, + { + "@timestamp": "2022-03-31T06:21:03.765Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:21:05.221Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:21:03.771061300Z'/\u003e\u003cEventRecordID\u003e9334\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:21:03.765\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x1234fabd)\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:21:03.765\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\r\nDetails: QWORD (0x00000000-0x1234fabd)\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "305461949" + ], + "type": "SZ_QWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD", + "value": "TEST_QWORD" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9334", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } + }, + { + "@timestamp": "2022-03-31T06:39:22.643Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:39:24.670Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:39:22.648698100Z'/\u003e\u003cEventRecordID\u003e9366\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:39:22.643\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\u003c/Data\u003e\u003cData Name='Details'\u003eabcd\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:22.643\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\r\nDetails: abcd\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "abcd" + ], + "type": "REG_SZ" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1", + "value": "TEST_KEY_1" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9366", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } + }, + { + "@timestamp": "2022-03-31T06:39:36.298Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:39:37.779Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:39:36.303809800Z'/\u003e\u003cEventRecordID\u003e9370\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:39:36.298\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x12349abc)\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:36.298\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\r\nDetails: DWORD (0x12349abc)\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "0x12349abc" + ], + "type": "SZ_DWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD", + "value": "TEST_DWORD" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9370", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } + }, + { + "@timestamp": "2022-03-31T06:40:11.534Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:40:13.047Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:40:11.539166700Z'/\u003e\u003cEventRecordID\u003e9375\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:40:11.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:11.534\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING", + "value": "TEST_MULTI_VALUE_STRING" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9375", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } + }, + { + "@timestamp": "2022-03-31T06:40:38.113Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:40:39.262Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:40:38.118474300Z'/\u003e\u003cEventRecordID\u003e9379\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:40:38.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:38.113\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE", + "value": "TEST_BIN_VALUE" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9379", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } + }, + { + "@timestamp": "2022-03-31T06:41:01.546Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2022-03-31T06:41:03.491Z", + "dataset": "windows.sysmon_operational", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:41:01.551493500Z'/\u003e\u003cEventRecordID\u003e9384\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:41:01.546\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\u003c/Data\u003e\u003cData Name='Details'\u003e*.dll expanded\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:41:01.546\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\r\nDetails: *.dll expanded\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{ce6f2a55-427a-6245-3801-000000000900}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 5816 + }, + "registry": { + "data": { + "strings": [ + "*.dll expanded" + ], + "type": "REG_SZ" + }, + "hive": "HKU", + "key": "S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR", + "path": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR", + "value": "TEST_EXPANDED_STR" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "rule": { + "name": "UACMe Dir Prep" + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9384", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" + }, + "version": 2 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index 1731bc0dcce..4cbdd207c5d 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -1154,8 +1154,9 @@ processors: HKU: "HKU" source: |- ctx.registry = new HashMap(); - Pattern qwordRegex = /(?i)QWORD \(((0x\d{8})-(0x\d{8}))\)/; - Pattern dwordRegex = /(?i)DWORD \((0x\d{8})\)/; + Pattern qwordRegex = /(?i)QWORD \(((0x[0-9A-F]{8})-(0x[0-9A-F]{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x[0-9A-F]{8})\)/; + Pattern binDataRegex = /Binary Data/; def path = ctx.winlog.event_data.TargetObject; ctx.registry.path = path; @@ -1174,9 +1175,11 @@ processors: def data = ctx?.winlog?.event_data?.Details; if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix def dataValue = ""; def dataType = ""; + def matcher = qwordRegex.matcher(data); if (matcher.matches()) { def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); @@ -1184,24 +1187,43 @@ processors: if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { dataType = "SZ_QWORD"; dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; } - } else { - matcher = dwordRegex.matcher(data); - if (matcher.matches()) { - def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); - if (!Double.isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = matcher.group(1); - } + return; + } + + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = matcher.group(1); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; } + return; } - if (dataType != "") { + matcher = binDataRegex.matcher(data); + if (matcher.matches()) { + // Data type could be REG_BINARY or REG_MULTI_SZ ctx.registry.data = [ - "strings": [dataValue], - "type": dataType + "strings": [data], + "type": "REG_BINARY" ]; + return; } + + // REG_SZ or REG_EXPAND_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_SZ" + ]; } ## Cleanup diff --git a/packages/windows/data_stream/sysmon_operational/sample_event.json b/packages/windows/data_stream/sysmon_operational/sample_event.json index d4735279da0..0e68166259b 100644 --- a/packages/windows/data_stream/sysmon_operational/sample_event.json +++ b/packages/windows/data_stream/sysmon_operational/sample_event.json @@ -1,11 +1,12 @@ { "@timestamp": "2019-07-18T03:34:01.261Z", "agent": { - "ephemeral_id": "864e1771-93da-4224-b75b-92560b085f41", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.sysmon_operational", @@ -41,9 +42,9 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", @@ -53,7 +54,7 @@ "code": "22", "created": "2019-07-18T03:34:02.025Z", "dataset": "windows.sysmon_operational", - "ingested": "2022-01-12T05:25:16Z", + "ingested": "2022-03-31T08:42:26Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", From c8b617c795aee5f4313c4ab73b5b3efea6f175d0 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Thu, 31 Mar 2022 19:55:23 +1100 Subject: [PATCH 2/6] Update changelog and manifest --- packages/windows/changelog.yml | 5 +++++ packages/windows/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 73ba5559001..44c1d5d2c91 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Support for Sysmon Registry non-QWORD/DWORD events + type: enhancement + link: https://github.com/elastic/integrations/pull/2962 - version: "1.10.0" changes: - description: Add sysmon event 26 handling diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index cedbc30e247..3d1a39e8a61 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.10.0 +version: 1.11.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: From 671ca70c613011c6c67561b784124b857b2df1a0 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Thu, 31 Mar 2022 23:11:27 +1100 Subject: [PATCH 3/6] format and regen README --- .../_dev/test/pipeline/test-events.json | 600 +++++++++--------- packages/windows/docs/README.md | 43 +- 2 files changed, 323 insertions(+), 320 deletions(-) diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index d2bbf1d7f18..498a049c26f 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -8658,304 +8658,304 @@ } }, { - "@timestamp": "2022-03-31T06:21:03.771Z", - "event": { - "kind": "event", - "provider": "Microsoft-Windows-Sysmon", - "original": "13241300x80000000000000009334Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:21:03.765{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORDQWORD (0x00000000-0x1234fabd)VAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:21:03.765\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\r\nDetails: QWORD (0x00000000-0x1234fabd)\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", - "action": "Registry value set (rule: RegistryEvent)", - "created": "2022-03-31T06:21:05.221Z", - "code": "13", - "dataset": "windows.sysmon_operational" - }, - "log": { - "level": "information" - }, - "winlog": { - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD", - "Details": "QWORD (0x00000000-0x1234fabd)", - "Image": "C:\\Windows\\regedit.exe", - "User": "VAGRANT\\vagrant", - "RuleName": "UACMe Dir Prep", - "EventType": "SetValue", - "UtcTime": "2022-03-31 06:21:03.765", - "ProcessId": "5816", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" - }, - "api": "wineventlog", - "record_id": 9334, - "event_id": "13", - "provider_name": "Microsoft-Windows-Sysmon", - "task": "Registry value set (rule: RegistryEvent)", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "version": 2, - "user": { - "name": "SYSTEM", - "type": "User", - "identifier": "S-1-5-18", - "domain": "NT AUTHORITY" - }, - "process": { - "pid": 2876, - "thread": { - "id": 3720 - } - }, - "opcode": "Info", - "computer_name": "vagrant" - } - }, - { - "@timestamp": "2022-03-31T06:39:22.648Z", - "winlog": { - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "user": { - "identifier": "S-1-5-18", - "domain": "NT AUTHORITY", - "name": "SYSTEM", - "type": "User" - }, - "process": { - "thread": { - "id": 3720 - }, - "pid": 2876 - }, - "opcode": "Info", - "channel": "Microsoft-Windows-Sysmon/Operational", - "record_id": 9366, - "task": "Registry value set (rule: RegistryEvent)", - "provider_name": "Microsoft-Windows-Sysmon", - "event_id": "13", - "version": 2, - "event_data": { - "RuleName": "UACMe Dir Prep", - "Details": "abcd", - "EventType": "SetValue", - "ProcessId": "5816", - "Image": "C:\\Windows\\regedit.exe", - "UtcTime": "2022-03-31 06:39:22.643", - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1", - "User": "VAGRANT\\vagrant", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" - }, - "api": "wineventlog", - "computer_name": "vagrant" - }, - "event": { - "dataset": "windows.sysmon_operational", - "action": "Registry value set (rule: RegistryEvent)", - "created": "2022-03-31T06:39:24.670Z", - "code": "13", - "kind": "event", - "provider": "Microsoft-Windows-Sysmon", - "original": "13241300x80000000000000009366Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:39:22.643{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1abcdVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:22.643\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\r\nDetails: abcd\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info" - }, - "log": { - "level": "information" - } - }, - { - "@timestamp": "2022-03-31T06:39:36.303Z", - "winlog": { - "user": { - "name": "SYSTEM", - "type": "User", - "identifier": "S-1-5-18", - "domain": "NT AUTHORITY" - }, - "process": { - "pid": 2876, - "thread": { - "id": 3720 - } - }, - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_id": "13", - "computer_name": "vagrant", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "record_id": 9370, - "task": "Registry value set (rule: RegistryEvent)", - "event_data": { - "RuleName": "UACMe Dir Prep", - "EventType": "SetValue", - "UtcTime": "2022-03-31 06:39:36.298", - "Details": "DWORD (0x12349abc)", - "User": "VAGRANT\\vagrant", - "ProcessId": "5816", - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", - "Image": "C:\\Windows\\regedit.exe" - }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "api": "wineventlog", - "version": 2 - }, - "log": { - "level": "information" - }, - "event": { - "code": "13", - "kind": "event", - "provider": "Microsoft-Windows-Sysmon", - "dataset": "windows.sysmon_operational", - "original": "13241300x80000000000000009370Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:39:36.298{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORDDWORD (0x12349abc)VAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:36.298\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\r\nDetails: DWORD (0x12349abc)\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", - "action": "Registry value set (rule: RegistryEvent)", - "created": "2022-03-31T06:39:37.779Z" - } - }, - { - "@timestamp": "2022-03-31T06:40:11.539Z", - "winlog": { - "event_id": "13", - "user": { - "name": "SYSTEM", - "type": "User", - "identifier": "S-1-5-18", - "domain": "NT AUTHORITY" - }, - "api": "wineventlog", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "User": "VAGRANT\\vagrant", - "Details": "Binary Data", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING", - "EventType": "SetValue", - "ProcessId": "5816", - "Image": "C:\\Windows\\regedit.exe", - "UtcTime": "2022-03-31 06:40:11.534", - "RuleName": "UACMe Dir Prep" - }, - "record_id": 9375, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "version": 2, - "computer_name": "vagrant", - "process": { - "pid": 2876, - "thread": { - "id": 3720 - } - }, - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "task": "Registry value set (rule: RegistryEvent)" - }, - "event": { - "code": "13", - "dataset": "windows.sysmon_operational", - "kind": "event", - "provider": "Microsoft-Windows-Sysmon", - "original": "13241300x80000000000000009375Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:40:11.534{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRINGBinary DataVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:11.534\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", - "action": "Registry value set (rule: RegistryEvent)", - "created": "2022-03-31T06:40:13.047Z" - }, - "log": { - "level": "information" - } - }, - { - "@timestamp": "2022-03-31T06:40:38.118Z", - "log": { - "level": "information" - }, - "winlog": { - "task": "Registry value set (rule: RegistryEvent)", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "computer_name": "vagrant", - "opcode": "Info", - "event_data": { - "User": "VAGRANT\\vagrant", - "RuleName": "UACMe Dir Prep", - "EventType": "SetValue", - "UtcTime": "2022-03-31 06:40:38.113", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", - "ProcessId": "5816", - "Details": "Binary Data", - "Image": "C:\\Windows\\regedit.exe", - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE" - }, - "process": { - "pid": 2876, - "thread": { - "id": 3720 - } - }, - "api": "wineventlog", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, - "user": { - "identifier": "S-1-5-18", - "domain": "NT AUTHORITY", - "name": "SYSTEM", - "type": "User" - }, - "event_id": "13", - "record_id": 9379 - }, - "event": { - "original": "13241300x80000000000000009379Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:40:38.113{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUEBinary DataVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:38.113\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", - "action": "Registry value set (rule: RegistryEvent)", - "dataset": "windows.sysmon_operational", - "created": "2022-03-31T06:40:39.262Z", - "code": "13", - "kind": "event", - "provider": "Microsoft-Windows-Sysmon" - } - }, - { - "@timestamp": "2022-03-31T06:41:01.551Z", - "winlog": { - "channel": "Microsoft-Windows-Sysmon/Operational", - "computer_name": "vagrant", - "provider_name": "Microsoft-Windows-Sysmon", - "event_id": "13", - "opcode": "Info", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "process": { - "pid": 2876, - "thread": { - "id": 3720 - } - }, - "task": "Registry value set (rule: RegistryEvent)", - "user": { - "domain": "NT AUTHORITY", - "name": "SYSTEM", - "type": "User", - "identifier": "S-1-5-18" - }, - "version": 2, - "event_data": { - "RuleName": "UACMe Dir Prep", - "Image": "C:\\Windows\\regedit.exe", - "EventType": "SetValue", - "UtcTime": "2022-03-31 06:41:01.546", - "ProcessId": "5816", - "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR", - "Details": "*.dll expanded", - "User": "VAGRANT\\vagrant", - "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" - }, - "api": "wineventlog", - "record_id": 9384 - }, - "event": { - "provider": "Microsoft-Windows-Sysmon", - "original": "13241300x80000000000000009384Microsoft-Windows-Sysmon/OperationalvagrantUACMe Dir PrepSetValue2022-03-31 06:41:01.546{ce6f2a55-427a-6245-3801-000000000900}5816C:\\Windows\\regedit.exeHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR*.dll expandedVAGRANT\\vagrantRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:41:01.546\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\r\nDetails: *.dll expanded\r\nUser: VAGRANT\\vagrantInformationRegistry value set (rule: RegistryEvent)Info", - "action": "Registry value set (rule: RegistryEvent)", - "dataset": "windows.sysmon_operational", - "created": "2022-03-31T06:41:03.491Z", - "code": "13", - "kind": "event" - }, - "log": { - "level": "information" - } - } + "@timestamp": "2022-03-31T06:21:03.771Z", + "event": { + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:21:03.771061300Z'/\u003e\u003cEventRecordID\u003e9334\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:21:03.765\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x1234fabd)\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:21:03.765\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD\r\nDetails: QWORD (0x00000000-0x1234fabd)\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:21:05.221Z", + "code": "13", + "dataset": "windows.sysmon_operational" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_data": { + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_QWORD", + "Details": "QWORD (0x00000000-0x1234fabd)", + "Image": "C:\\Windows\\regedit.exe", + "User": "VAGRANT\\vagrant", + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:21:03.765", + "ProcessId": "5816", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "record_id": 9334, + "event_id": "13", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "Registry value set (rule: RegistryEvent)", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "version": 2, + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "opcode": "Info", + "computer_name": "vagrant" + } + }, + { + "@timestamp": "2022-03-31T06:39:22.648Z", + "winlog": { + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "user": { + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User" + }, + "process": { + "thread": { + "id": 3720 + }, + "pid": 2876 + }, + "opcode": "Info", + "channel": "Microsoft-Windows-Sysmon/Operational", + "record_id": 9366, + "task": "Registry value set (rule: RegistryEvent)", + "provider_name": "Microsoft-Windows-Sysmon", + "event_id": "13", + "version": 2, + "event_data": { + "RuleName": "UACMe Dir Prep", + "Details": "abcd", + "EventType": "SetValue", + "ProcessId": "5816", + "Image": "C:\\Windows\\regedit.exe", + "UtcTime": "2022-03-31 06:39:22.643", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1", + "User": "VAGRANT\\vagrant", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "computer_name": "vagrant" + }, + "event": { + "dataset": "windows.sysmon_operational", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:39:24.670Z", + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:39:22.648698100Z'/\u003e\u003cEventRecordID\u003e9366\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:39:22.643\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\u003c/Data\u003e\u003cData Name='Details'\u003eabcd\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:22.643\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_KEY_1\r\nDetails: abcd\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e" + }, + "log": { + "level": "information" + } + }, + { + "@timestamp": "2022-03-31T06:39:36.303Z", + "winlog": { + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_id": "13", + "computer_name": "vagrant", + "opcode": "Info", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 9370, + "task": "Registry value set (rule: RegistryEvent)", + "event_data": { + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:39:36.298", + "Details": "DWORD (0x12349abc)", + "User": "VAGRANT\\vagrant", + "ProcessId": "5816", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "Image": "C:\\Windows\\regedit.exe" + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "api": "wineventlog", + "version": 2 + }, + "log": { + "level": "information" + }, + "event": { + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "dataset": "windows.sysmon_operational", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:39:36.303809800Z'/\u003e\u003cEventRecordID\u003e9370\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:39:36.298\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x12349abc)\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:39:36.298\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_DWORD\r\nDetails: DWORD (0x12349abc)\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:39:37.779Z" + } + }, + { + "@timestamp": "2022-03-31T06:40:11.539Z", + "winlog": { + "event_id": "13", + "user": { + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY" + }, + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "event_data": { + "User": "VAGRANT\\vagrant", + "Details": "Binary Data", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING", + "EventType": "SetValue", + "ProcessId": "5816", + "Image": "C:\\Windows\\regedit.exe", + "UtcTime": "2022-03-31 06:40:11.534", + "RuleName": "UACMe Dir Prep" + }, + "record_id": 9375, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "version": 2, + "computer_name": "vagrant", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "opcode": "Info", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "Registry value set (rule: RegistryEvent)" + }, + "event": { + "code": "13", + "dataset": "windows.sysmon_operational", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:40:11.539166700Z'/\u003e\u003cEventRecordID\u003e9375\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:40:11.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:11.534\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_MULTI_VALUE_STRING\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "action": "Registry value set (rule: RegistryEvent)", + "created": "2022-03-31T06:40:13.047Z" + }, + "log": { + "level": "information" + } + }, + { + "@timestamp": "2022-03-31T06:40:38.118Z", + "log": { + "level": "information" + }, + "winlog": { + "task": "Registry value set (rule: RegistryEvent)", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "opcode": "Info", + "event_data": { + "User": "VAGRANT\\vagrant", + "RuleName": "UACMe Dir Prep", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:40:38.113", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}", + "ProcessId": "5816", + "Details": "Binary Data", + "Image": "C:\\Windows\\regedit.exe", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE" + }, + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Sysmon", + "version": 2, + "user": { + "identifier": "S-1-5-18", + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User" + }, + "event_id": "13", + "record_id": 9379 + }, + "event": { + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:40:38.118474300Z'/\u003e\u003cEventRecordID\u003e9379\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:40:38.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:40:38.113\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_BIN_VALUE\r\nDetails: Binary Data\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "action": "Registry value set (rule: RegistryEvent)", + "dataset": "windows.sysmon_operational", + "created": "2022-03-31T06:40:39.262Z", + "code": "13", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon" + } + }, + { + "@timestamp": "2022-03-31T06:41:01.551Z", + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "provider_name": "Microsoft-Windows-Sysmon", + "event_id": "13", + "opcode": "Info", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "process": { + "pid": 2876, + "thread": { + "id": 3720 + } + }, + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "type": "User", + "identifier": "S-1-5-18" + }, + "version": 2, + "event_data": { + "RuleName": "UACMe Dir Prep", + "Image": "C:\\Windows\\regedit.exe", + "EventType": "SetValue", + "UtcTime": "2022-03-31 06:41:01.546", + "ProcessId": "5816", + "TargetObject": "HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR", + "Details": "*.dll expanded", + "User": "VAGRANT\\vagrant", + "ProcessGuid": "{ce6f2a55-427a-6245-3801-000000000900}" + }, + "api": "wineventlog", + "record_id": 9384 + }, + "event": { + "provider": "Microsoft-Windows-Sysmon", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-03-31T06:41:01.551493500Z'/\u003e\u003cEventRecordID\u003e9384\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2876' ThreadID='3720'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003eUACMe Dir Prep\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-03-31 06:41:01.546\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{ce6f2a55-427a-6245-3801-000000000900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5816\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\u003c/Data\u003e\u003cData Name='Details'\u003e*.dll expanded\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003c/EventData\u003e\u003cRenderingInfo Culture='en-US'\u003e\u003cMessage\u003eRegistry value set:\r\nRuleName: UACMe Dir Prep\r\nEventType: SetValue\r\nUtcTime: 2022-03-31 06:41:01.546\r\nProcessGuid: {ce6f2a55-427a-6245-3801-000000000900}\r\nProcessId: 5816\r\nImage: C:\\Windows\\regedit.exe\r\nTargetObject: HKU\\S-1-5-21-2788380046-4280556519-4095830112-1000\\Volatile Environment\\2\\TEST_EXPANDED_STR\r\nDetails: *.dll expanded\r\nUser: VAGRANT\\vagrant\u003c/Message\u003e\u003cLevel\u003eInformation\u003c/Level\u003e\u003cTask\u003eRegistry value set (rule: RegistryEvent)\u003c/Task\u003e\u003cOpcode\u003eInfo\u003c/Opcode\u003e\u003cChannel\u003e\u003c/Channel\u003e\u003cProvider\u003e\u003c/Provider\u003e\u003cKeywords\u003e\u003c/Keywords\u003e\u003c/RenderingInfo\u003e\u003c/Event\u003e", + "action": "Registry value set (rule: RegistryEvent)", + "dataset": "windows.sysmon_operational", + "created": "2022-03-31T06:41:03.491Z", + "code": "13", + "kind": "event" + }, + "log": { + "level": "information" + } + } ] -} +} \ No newline at end of file diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 67f70075b2a..b54ffd8452a 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -149,11 +149,12 @@ An example event for `powershell` looks as following: { "@timestamp": "2020-05-13T13:21:43.183Z", "agent": { - "ephemeral_id": "db81e0aa-51b2-4036-9ece-f3c8979be9f8", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.powershell", @@ -164,17 +165,17 @@ An example event for `powershell` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", "category": "process", "code": "600", - "created": "2022-01-12T05:24:01.636Z", + "created": "2022-03-31T08:41:12.816Z", "dataset": "windows.powershell", - "ingested": "2022-01-12T05:24:02Z", + "ingested": "2022-03-31T08:41:16Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -482,11 +483,12 @@ An example event for `powershell_operational` looks as following: { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "bbdc83ce-5df6-4729-b8e9-0185b6ab66f6", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.powershell_operational", @@ -497,17 +499,17 @@ An example event for `powershell_operational` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2022-01-12T05:24:36.653Z", + "created": "2022-03-31T08:41:48.560Z", "dataset": "windows.powershell_operational", - "ingested": "2022-01-12T05:24:37Z", + "ingested": "2022-03-31T08:41:49Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -808,11 +810,12 @@ An example event for `sysmon_operational` looks as following: { "@timestamp": "2019-07-18T03:34:01.261Z", "agent": { - "ephemeral_id": "864e1771-93da-4224-b75b-92560b085f41", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "7.17.0" }, "data_stream": { "dataset": "windows.sysmon_operational", @@ -848,9 +851,9 @@ An example event for `sysmon_operational` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", "snapshot": false, - "version": "8.0.0-beta1" + "version": "7.17.0" }, "event": { "agent_id_status": "verified", @@ -860,7 +863,7 @@ An example event for `sysmon_operational` looks as following: "code": "22", "created": "2019-07-18T03:34:02.025Z", "dataset": "windows.sysmon_operational", - "ingested": "2022-01-12T05:25:16Z", + "ingested": "2022-03-31T08:42:26Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", From 3335a4bbb0ec12f438fab36dbb897f696da7122b Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:13:48 +1100 Subject: [PATCH 4/6] convert DWORD to decimal to keep it consistent with QWORD --- .../_dev/test/pipeline/test-events.json-expected.json | 4 ++-- .../elasticsearch/ingest_pipeline/default.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index 6cb5044ddf0..21cf15f4a9f 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -495,7 +495,7 @@ "registry": { "data": { "strings": [ - "0x00000004" + "4" ], "type": "SZ_DWORD" }, @@ -21702,7 +21702,7 @@ "registry": { "data": { "strings": [ - "0x12349abc" + "305437372" ], "type": "SZ_DWORD" }, diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index 4cbdd207c5d..a83a79a9f9a 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -1200,7 +1200,7 @@ processors: def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); if (!Double.isNaN(parsedValue)) { dataType = "SZ_DWORD"; - dataValue = matcher.group(1); + dataValue = Long.toString(parsedValue); ctx.registry.data = [ "strings": [dataValue], "type": dataType From 4184234dcb91fdd7c5e628169763c4b1a42ed033 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:21:49 +1100 Subject: [PATCH 5/6] remove event.ingested --- .../_dev/test/pipeline/test-events.json-expected.json | 4 ---- .../powershell/elasticsearch/ingest_pipeline/default.yml | 3 --- .../_dev/test/pipeline/test-events.json-expected.json | 4 ---- .../elasticsearch/ingest_pipeline/default.yml | 3 --- 4 files changed, 14 deletions(-) diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index e78dee3f57d..55c5f7a6ce9 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -8,7 +8,6 @@ "event": { "category": "process", "code": "600", - "ingested": "2022-03-31T08:44:05.709674800Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -67,7 +66,6 @@ "event": { "category": "process", "code": "400", - "ingested": "2022-03-31T08:44:05.709684500Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -123,7 +121,6 @@ "event": { "category": "process", "code": "800", - "ingested": "2022-03-31T08:44:05.709689Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -226,7 +223,6 @@ "event": { "category": "process", "code": "403", - "ingested": "2022-03-31T08:44:05.709693900Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml index 6d94b1bfe64..7e9df152b05 100644 --- a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -38,9 +38,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index f15bce018e8..b2c5deb1628 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -8,7 +8,6 @@ "event": { "category": "process", "code": "4105", - "ingested": "2022-03-31T08:44:06.320067600Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -66,7 +65,6 @@ "event": { "category": "process", "code": "4103", - "ingested": "2022-03-31T08:44:06.320074100Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -170,7 +168,6 @@ "event": { "category": "process", "code": "4106", - "ingested": "2022-03-31T08:44:06.320078300Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -222,7 +219,6 @@ "event": { "category": "process", "code": "4104", - "ingested": "2022-03-31T08:44:06.320084900Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index 90e4f573fa1..16d21d8fe82 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -40,9 +40,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event From fa1e75cbd419c6248580f64c78b36a827242da24 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:31:28 +1100 Subject: [PATCH 6/6] remove unwanted newlines --- .../elasticsearch/ingest_pipeline/default.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index a83a79a9f9a..c75458c77c3 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -1175,11 +1175,9 @@ processors: def data = ctx?.winlog?.event_data?.Details; if (data != null && data != "") { - def prefixLen = 2; // to remove 0x prefix def dataValue = ""; def dataType = ""; - def matcher = qwordRegex.matcher(data); if (matcher.matches()) { def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16);