From 50ff0c6ab78dfaca22ac496cee341e04864fd398 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Thu, 19 Oct 2023 07:05:55 +1030
Subject: [PATCH] windows: make pipeline routing robust to channel letter case

Apparently some events from Windows servers and workstations in Security channel
have a lowercase channel name. This has not been observed in other channels, but
defensively apply the same care there.
---
 packages/windows/changelog.yml                            | 5 +++++
 .../forwarded/_dev/test/pipeline/test-security-1100.json  | 2 +-
 .../test/pipeline/test-security-1100.json-expected.json   | 2 +-
 .../forwarded/elasticsearch/ingest_pipeline/default.yml   | 8 ++++----
 packages/windows/manifest.yml                             | 2 +-
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index abd9df327e4..3bed7f4a11a 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.40.0"
+  changes:
+    - description: Make ingest pipeline routing robust to letter case of channel names for forwarded events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8242
 - version: "1.39.0"
   changes:
     - description: Added field `winlog.event_data.EnabledPrivilegeList` as type keyword to forwarded data stream.
diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json
index 874f22895f5..858cad295e5 100644
--- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json
+++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json
@@ -34,7 +34,7 @@
                         "id": 4532
                     }
                 },
-                "channel": "Security",
+                "channel": "security",
                 "event_id": 1100,
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
                 "opcode": "Info",
diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
index 8ee6abe3a65..55bea56f84d 100644
--- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
+++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
@@ -39,7 +39,7 @@
                 "level": "information"
             },
             "winlog": {
-                "channel": "Security",
+                "channel": "security",
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
                 "event_id": "1100",
                 "keywords": [
diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
index 8c426353f52..73a66f3adf6 100644
--- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
@@ -3,16 +3,16 @@ description: Pipeline for Windows forwarded Event Logs
 processors:
   - pipeline:
       name: '{{ IngestPipeline "security" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name)
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "security" && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog?.provider_name)
   - pipeline:
       name: '{{ IngestPipeline "powershell" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Windows PowerShell"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "windows powershell"
   - pipeline:
       name: '{{ IngestPipeline "powershell_operational" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-PowerShell/Operational"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "microsoft-windows-powershell/operational"
   - pipeline:
       name: '{{ IngestPipeline "sysmon_operational" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "microsoft-windows-sysmon/operational"
 
   - set:
       field: host.os.type
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 28f5b4e78b4..81eedd43626 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.39.0
+version: 1.40.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: