elastic · andrewkroh · May 11, 2022 · May 11, 2022
diff --git a/packages/windows/1.12.1/changelog.yml b/packages/windows/1.12.1/changelog.yml
@@ -0,0 +1,219 @@
+# newer versions go on top
+- version: "1.12.1"
+  changes:
+    - description: Drop unset fields in sysmon_operational data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3283
+- version: "1.12.0"
+  changes:
+    - description: Support for Sysmon Registry non-QWORD/DWORD events
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2962
+- version: "1.11.0"
+  changes:
+    - description: Add parent process ID to security event for new process creation.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2966
+- version: "1.10.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.10.0"
+  changes:
+    - description: Add sysmon event 26 handling
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2566
+    - description: Normalise field order and remove event.ingested
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2566
+- version: "1.9.0"
+  changes:
+    - description: Expose winlog input ignore_older option.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2542
+    - description: Fix preserve original event option
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2542
+    - description: Make order of options consistent with other winlog based integrations.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2542
+- version: "1.8.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2515
+- version: "1.7.0"
+  changes:
+    - description: Add provider name check to forwarded/security conditional.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2527
+- version: "1.6.0"
+  changes:
+    - description: Expose winlog input language option.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2344
+- version: "1.5.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.5.0"
+  changes:
+    - description: Support Kibana 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2179
+- version: "1.4.0"
+  changes:
+    - description: Don't split hyphenated tokens for PowerShell scripts
+      type: enhancement
+      link: https://github.com/elastic/integrations/issues/1931
+- version: "1.3.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2080
+- version: "1.3.2"
+  changes:
+    - description: Fix processors configuration
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2113
+- version: "1.3.1"
+  changes:
+    - description: Update Splunk input description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2067
+- version: "1.3.0"
+  changes:
+    - description: Consistently map message field in Windows integrations.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2008
+- version: "1.2.3"
+  changes:
+    - description: Fix ingest pipeline templating for related.ip
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1920
+- version: "1.2.2"
+  changes:
+    - description: Prevent pipeline script error
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1872
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1859
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1711
+- version: "1.1.3"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1511
+- version: '1.1.2'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1425
+- version: "1.1.1"
+  changes:
+    - description: Escape special characters in docs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1405
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1214
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1214
+- version: "0.9.2"
+  changes:
+    - description: Add support for Splunk authorization tokens
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1147
+- version: "0.9.1"
+  changes:
+    - description: Use new `wildcard` type.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1161
+- version: "0.9.0"
+  changes:
+    - description: Make `event.original` optional and upgrade to ECS 1.10.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1122
+- version: "0.8.2"
+  changes:
+    - description: Add system tests for Splunk http inputs and improve README.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1044
+    - description: Fix sysmon pipeline when processing `dns.resolved_ip`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1044
+- version: "0.8.1"
+  changes:
+    - description: Fix security pipeline to support string event.code.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1090
+- version: "0.8.0"
+  changes:
+    - description: Use ingest pipelines for forwarded dataset.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/973
+- version: "0.7.0"
+  changes:
+    - description: Move Sysmon edge processing to ingest pipeline.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/972
+- version: "0.6.0"
+  changes:
+    - description: Move PowerShell edge processing to ingest pipeline.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/941
+- version: "0.5.2"
+  changes:
+    - description: Change Splunk input to use the decode_xml_wineventlog processor.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/923
+- version: "0.5.1"
+  changes:
+    - description: Add support for Sysmon v13 events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/913
+- version: "0.5.0"
+  changes:
+    - description: Add Splunk input for Winlog data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/821
+- version: "0.4.3"
+  changes:
+    - description: Updating package owner
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/766
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/877
+- version: "0.4.2"
+  changes:
+    - description: Move security data stream
+      type: bugfix # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/726
+- version: "0.4.1"
+  changes:
+    - description: Fix Guards
+      type: bugfix # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/724
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/91
diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,101 @@
+config_version: "2"
+interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+  index_earliest:
+    value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+  - set:
+      target: url.params.search
+      value: |-
+        {{search}} | streamstats max(_indextime) AS max_indextime
+  - set:
+      target: url.params.output_mode
+      value: "json"
+  - set:
+      target: url.params.index_earliest
+      value: '[[ .cursor.index_earliest ]]'
+      default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+  - set:
+      target: url.params.index_latest
+      value: '[[(now).Unix]]'
+  - set:
+      target: header.Content-Type
+      value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- decode_json_fields:
+    fields: message
+    target: json
+    add_error_key: true
+- drop_event:
+    when:
+      not:
+        has_fields: ['json.result']
+- fingerprint:
+    fields:
+      - json.result._cd
+      - json.result._indextime
+      - json.result._raw
+      - json.result._time
+      - json.result.host
+      - json.result.source
+    target_field: "@metadata._id"
+- drop_fields:
+    fields: message
+- rename:
+    fields:
+      - from: json.result._raw
+        to: event.original
+      - from: json.result.host
+        to: host.name
+      - from: json.result.source
+        to: event.provider
+    ignore_missing: true
+    fail_on_error: false
+- drop_fields:
+    fields: json
+- decode_xml_wineventlog:
+    field: event.original
+    target_field: winlog
+    ignore_missing: true
+    ignore_failure: true
+    map_ecs_fields: true
+{{#if processors.length}}
+{{processors}}
+{{/if}}
diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs
@@ -0,0 +1,27 @@
+name: ForwardedEvents
+condition: ${host.platform} == 'windows'
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors.length}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,19 @@
+---
+description: Pipeline for Windows forwarded Event Logs
+processors:
+  - pipeline:
+      name: '{{ IngestPipeline "security" }}'
+      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name)
+  - pipeline:
+      name: '{{ IngestPipeline "powershell" }}'
+      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Windows PowerShell"
+  - pipeline:
+      name: '{{ IngestPipeline "powershell_operational" }}'
+      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-PowerShell/Operational"
+  - pipeline:
+      name: '{{ IngestPipeline "sysmon_operational" }}'
+      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational"
+on_failure:
+  - set:
+      field: "error.message"
+      value: "{{ _ingest.on_failure_message }}"