[Winlogbeat] Add Powershell logging module

[marc-gr]

What does this PR do?

Adds PowerShell logging module to winlogbeat.

Why is it important?

Add a new Winlogbeat module to collect logs from PowerShell. This will collect information about the scripts and modules that are being executed.

# The module will process events based on this config.
winlogbeat.event_logs:
  - name: Windows PowerShell
    event_ids: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_ids: 4103, 4104, 4105, 4106

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Module Checklist

• Supported versions are documented
• Supported operating systems are documented (if applicable)
• Automated checks that all fields are documented
• Documentation
• Fields follow ECS and naming conventions
• Dashboards to show the data

Handle events

• 400 - This event indicates the start of a PowerShell activity, whether local or remote.
• 403 - This event records the completion of a PowerShell activity.
• 600 - indicates that providers such as WSMan start to perform a PowerShell activity on the system, for example, “Provider WSMan Is Started”.
• 800 - Pipeline execution details
• 4103 - module logging
• 4104 - script block logging (first time it runs)
• 4105 - Command started
• 4106 - Command completed

Related issues

Closes #16262

[elasticmachine]

💔 Build Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #18526 updated]

• Start Time: 2020-05-26T16:04:29.796+0000

• Duration: 15 min 16 sec

Steps errors

Expand to view the steps failures

• Name: Make check

  • Description: make check

  • Duration: 7 min 51 sec

  • Start Time: 2020-05-26T16:12:28.191+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-05-26T16:19:24.971Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:24.972Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:24.972Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-26T16:19:24.973Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-05-26T16:19:25.060Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.062Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-26T16:19:25.063Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.064Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-05-26T16:19:25.064Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.065Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.066Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.067Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.068Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.069Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-26T16:19:25.455Z] Failed in branch Elastic Agent x-pack
[2020-05-26T16:19:25.457Z] Failed in branch Elastic Agent x-pack Windows
[2020-05-26T16:19:25.457Z] Failed in branch Elastic Agent Mac OS X
[2020-05-26T16:19:25.458Z] Failed in branch Filebeat oss
[2020-05-26T16:19:25.458Z] Failed in branch Filebeat x-pack
[2020-05-26T16:19:25.459Z] Failed in branch Filebeat Mac OS X
[2020-05-26T16:19:25.460Z] Failed in branch Filebeat x-pack Mac OS X
[2020-05-26T16:19:25.460Z] Failed in branch Filebeat Windows
[2020-05-26T16:19:25.461Z] Failed in branch Filebeat x-pack Windows
[2020-05-26T16:19:25.461Z] Failed in branch Auditbeat x-pack
[2020-05-26T16:19:25.462Z] Failed in branch Libbeat x-pack
[2020-05-26T16:19:25.463Z] Failed in branch Metricbeat OSS Unit tests
[2020-05-26T16:19:25.463Z] Failed in branch Metricbeat OSS Integration tests
[2020-05-26T16:19:25.464Z] Failed in branch Metricbeat Python integration tests
[2020-05-26T16:19:25.464Z] Failed in branch Metricbeat crosscompile
[2020-05-26T16:19:25.465Z] Failed in branch Metricbeat Mac OS X
[2020-05-26T16:19:25.466Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-05-26T16:19:25.466Z] Failed in branch Metricbeat Windows
[2020-05-26T16:19:25.467Z] Failed in branch Metricbeat x-pack Windows
[2020-05-26T16:19:25.467Z] Failed in branch Winlogbeat Windows x-pack
[2020-05-26T16:19:25.468Z] Failed in branch Kubernetes
[2020-05-26T16:19:25.754Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.756Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-26T16:19:25.757Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.758Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-05-26T16:19:25.759Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.760Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:25.761Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-26T16:19:25.811Z] Failed in branch Packetbeat
[2020-05-26T16:19:25.812Z] Failed in branch dockerlogbeat
[2020-05-26T16:19:25.812Z] Failed in branch Journalbeat
[2020-05-26T16:19:26.013Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:26.015Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-26T16:19:26.016Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:26.017Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-05-26T16:19:26.018Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-26T16:19:26.053Z] Failed in branch Metricbeat x-pack
[2020-05-26T16:19:26.054Z] Failed in branch Winlogbeat
[2020-05-26T16:19:26.254Z] Failed in branch Heartbeat
[2020-05-26T16:19:26.255Z] Failed in branch Libbeat
[2020-05-26T16:19:26.256Z] Failed in branch Functionbeat
[2020-05-26T16:19:26.256Z] Stage "Auditbeat oss" skipped due to earlier failure(s)
[2020-05-26T16:19:26.258Z] Stage "Generators" skipped due to earlier failure(s)
[2020-05-26T16:19:26.370Z] Failed in branch Auditbeat oss
[2020-05-26T16:19:26.371Z] Failed in branch Generators
[2020-05-26T16:19:26.486Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18526/src/github.com/elastic/beats
[2020-05-26T16:19:26.795Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-26T16:19:26.806Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18526/src/github.com/elastic/beats/Lint
[2020-05-26T16:19:27.175Z] + cat
[2020-05-26T16:19:27.176Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-26T16:19:27.176Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-26T16:19:33.756Z] runbld>>> runbld started
[2020-05-26T16:19:33.756Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-26T16:19:34.697Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18526' in order of occurrence in the config (last value wins).
[2020-05-26T16:19:36.076Z] runbld>>> Debug logging enabled.
[2020-05-26T16:19:36.076Z] runbld>>> Storing result
[2020-05-26T16:19:36.076Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-26T16:19:36.076Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200526161935-5FD9C9AB
[2020-05-26T16:19:36.076Z] runbld>>> Adding system facts.
[2020-05-26T16:19:37.020Z] runbld>>> Adding vcs info for the latest commit:  0b7b2c388187c4dc1071beddae63a108b8425273
[2020-05-26T16:19:37.021Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-26T16:19:37.021Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-26T16:19:37.021Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-26T16:19:37.021Z] Processing JUnit reports with runbld...
[2020-05-26T16:19:37.589Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-26T16:19:37.589Z] runbld>>> DURATION: 23ms
[2020-05-26T16:19:37.589Z] runbld>>> STDOUT: 40 bytes
[2020-05-26T16:19:37.589Z] runbld>>> STDERR: 49 bytes
[2020-05-26T16:19:37.589Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-26T16:19:37.589Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18526/src/github.com/elastic/beats
[2020-05-26T16:19:38.530Z] runbld>>> Storing build metadata: 
[2020-05-26T16:19:38.530Z] runbld>>> Adding test report.
[2020-05-26T16:19:38.530Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18526/src/github.com/elastic/beats
[2020-05-26T16:19:39.468Z] runbld>>> Found 0 test output files
[2020-05-26T16:19:39.468Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 0 Skipped: 0
[2020-05-26T16:19:39.468Z] runbld>>> Storing result
[2020-05-26T16:19:39.727Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-26T16:19:39.727Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200526161935-5FD9C9AB
[2020-05-26T16:19:39.727Z] runbld>>> Email notification disabled by environment variable.
[2020-05-26T16:19:39.727Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-26T16:19:45.399Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18526
[2020-05-26T16:19:45.518Z] [INFO] getVaultSecret: Getting secrets
[2020-05-26T16:19:45.571Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-26T16:19:46.281Z] + chmod 755 generate-build-data.sh
[2020-05-26T16:19:46.281Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18526/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18526/runs/18 FAILURE 916223
[2020-05-26T16:19:46.832Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18526/runs/18/steps/?limit=10000 -o steps-info.json

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

Exciting! I want to get this deployed after it merges and test it out some more.

[andrewkroh]

The HostName field is included in message details of events identified by EID 400 and EID 403. For a local activity, this filed is recorded as ConsoleHost (HostName = ConsoleHost); for a remote activity handled by PowerShell, HostName is recorded as ServerRemoteHost (HostName = ServerRemoteHost) on the system that is accessed. https://nsfocusglobal.com/Attack-and-Defense-Around-PowerShell-Event-Logging

If the values truly are ConsoleHost and ServerRemoteHost then maybe we can find a different place for this than process.title. 🤔

[marc-gr]

Initially I thought those two were the only possible values, but others seem to also be possible e.g.: Windows PowerShell ISE Host in the test evtx files. So I would expect it to be anything else at some point, with those two being possibly the most common ones when executing through local or remote shell. I agree that maybe process.title is not the right place, maybe something like powershell.process.name following with powershell.process.executable_version that is already there? wdyt?

[andrewkroh]

A few ideas on the dashboard...

In general think about what signals are useful to the user. The dashboards can have a few different audiences. So in an overview like this I like provide some basic metrics that show Winlogbeat is working and collecting data. Then provide some more detailed visualizations to help understand the PowerShell activity across all the hosts. With the visualizations try to make it possible for the user to "drill down" into the data.

Maybe add some high-level metrics across the top (total commands, total remote commands, unique users, unique hosts, unique powershell versions).

I would like to have a host component to the dashboard. Like incorporate some host counts and maybe a top-N hosts table for powershell command activity. This way the dashboard works well when you have more than a single host you're looking at.

Could the engine and command starts could be combined line chart over time (with two series being charted)? Are the stops events useful visually, if not I'd omit them.

It might also be useful to add a saved search to the bottom showing the actual process arguments. This way as you filter by clicking on the visualizations you can see the associated raw data.

[leehinman]

Looking really good.

Couple of suggestion on ECS categorization:
For the current IDs, could all of them have event.category = process ?
For 4105 event.type could probably be start
For 4106 event.type could probably be stop
For the others event.type could probably be info

could winlog.record_id be mapped to event.id? I'm not sure if it is unique or not.

Optional style suggestion.
It looks like Microsoft sometimes uses spaces in the key names and sometimes not. I'm thinking it might be helpful to go through all the keys and normalize them to one or the other (or snake case). It would make it easier in the future and you could convert a lot of your calls to popFirstFoundFromEventData to a simple rename processor.

[andrewkroh]

BTW Nice job at figuring out all of the dashboard exporting logistics. You'll want to include a screenshot of the final dashboard in the module docs.

[andrewkroh]

could winlog.record_id be mapped to event.id? I'm not sure if it is unique or not.

They are only unique within an event log on a host IIRC. Does that qualify? A unique ID could be created by fingerprinting @timestamp + computer_name + channel + record_number.

[andrewkroh]

For future PRs, it's favorable from a reviewer standpoint if you squash at the end. This way we can review the changes since we last reviewed and save time.

[andrewkroh]

LGTM. Though looks like mage update needs run to get the build green. We might want to shrink down the screenshot dimensions before merging. Let's see what @dedemorton thinks?

[andrewkroh]

Suggested change

	* <<{beatname_lc}-module-powershell,Powershell>>
	* <<{beatname_lc}-module-powershell,PowerShell>>

[dedemorton]

We might want to shrink down the screenshot dimensions before merging.

Yes, I would make it smaller. The general guideline is to "take screenshots with an aspect ratio of 16:9 (1920x1080 preferred, also commonly referred to as 1080p)." Though honestly, this is the marketing guideline; most of screenshots in our docs do not currently follow that guideline. Maybe just resize to 1920 width (preserving aspect ratio) and see how it looks in the built docs.

For internal folks: you'll find screen capture guidelines under "Guidelines – Screenshots" in the company wiki.

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Pull request #18526 updated]

• Start Time: 2020-05-27T08:42:34.204+0000

• Duration: 44 min 6 sec

Test stats 🧪

Test	Results
Failed	0
Passed	777
Skipped	128
Total	905

[marc-gr]

@dedemorton I resized the images to be 1920w, let me know if they need anything else 👍

[leehinman]

LGTM

[gwsales]

Nice work!

Is there any way to add a flag to not delete the source fields? I like all the extractions but we also need to keep source data in tact. One example, reassembling the details is very helpful for detection but can sometimes cause issues for compliance that need to recreate the source data.

[andrewkroh]

@gwsales Sounds like a good idea. Can you please open a new issue for this?