Skip to content

Commit

Permalink
Add winlogbeat powershell module (elastic#18526)
Browse files Browse the repository at this point in the history
Initial support for event ids: 400, 403, 600, 800, 4103, 4014, 4105, 4106
Add fields documentation
Add powershell module dashboard

Closes elastic#16262

(cherry picked from commit f4019d5)
  • Loading branch information
marc-gr committed May 28, 2020
1 parent 16d6a78 commit 7cae739
Show file tree
Hide file tree
Showing 35 changed files with 4,999 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364]
- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
- Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526]

*Functionbeat*

Expand Down
6 changes: 6 additions & 0 deletions winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,9 @@ winlogbeat.event_logs:

- name: ForwardedEvents
tags: [forwarded]

- name: Windows PowerShell
event_id: 400, 403, 600, 800

- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
308 changes: 308 additions & 0 deletions winlogbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ grouped in the following categories:
* <<exported-fields-host-processor>>
* <<exported-fields-jolokia-autodiscover>>
* <<exported-fields-kubernetes-processor>>
* <<exported-fields-powershell>>
* <<exported-fields-process>>
* <<exported-fields-security>>
* <<exported-fields-sysmon>>
Expand Down Expand Up @@ -7474,6 +7475,313 @@ type: keyword
--
[[exported-fields-powershell]]
== PowerShell module fields
These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
*`id`*::
+
--
Shell Id.
type: keyword
example: Microsoft Powershell
--
*`pipeline_id`*::
+
--
Pipeline id.
type: keyword
example: 1
--
*`runspace_id`*::
+
--
Runspace id.
type: keyword
example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
--
*`sequence`*::
+
--
Sequence number of the powershell execution.
type: long
example: 1
--
*`total`*::
+
--
Total number of messages in the sequence.
type: long
example: 10
--
[float]
=== powershell.command
Data related to the executed command.
*`powershell.command.path`*::
+
--
Path of the executed command.
type: keyword
example: C:\Windows\system32\cmd.exe
--
*`powershell.command.name`*::
+
--
Name of the executed command.
type: keyword
example: cmd.exe
--
*`powershell.command.type`*::
+
--
Type of the executed command.
type: keyword
example: Application
--
*`powershell.command.value`*::
+
--
The invoked command.
type: text
example: Import-LocalizedData LocalizedData -filename ArchiveResources
--
*`powershell.command.invocation_details`*::
+
--
An array of objects containing detailed information of the executed command.
type: array
--
*`powershell.command.invocation_details.type`*::
+
--
The type of detail.
type: keyword
example: CommandInvocation
--
*`powershell.command.invocation_details.related_command`*::
+
--
The command to which the detail is related to.
type: keyword
example: Add-Type
--
*`powershell.command.invocation_details.name`*::
+
--
Only used for ParameterBinding detail type. Indicates the parameter name.
type: keyword
example: AssemblyName
--
*`powershell.command.invocation_details.value`*::
+
--
The value of the detail. The meaning of it will depend on the detail type.
type: text
example: System.IO.Compression.FileSystem
--
[float]
=== powershell.connected_user
Data related to the connected user executing the command.
*`powershell.connected_user.domain`*::
+
--
User domain.
type: keyword
example: VAGRANT
--
*`powershell.connected_user.name`*::
+
--
User name.
type: keyword
example: vagrant
--
[float]
=== powershell.engine
Data related to the PowerShell engine.
*`powershell.engine.version`*::
+
--
Version of the PowerShell engine version used to execute the command.
type: keyword
example: 5.1.17763.1007
--
*`powershell.engine.previous_state`*::
+
--
Previous state of the PowerShell engine.
type: keyword
example: Available
--
*`powershell.engine.new_state`*::
+
--
New state of the PowerShell engine.
type: keyword
example: Stopped
--
[float]
=== powershell.file
Data related to the executed script file.
*`powershell.file.script_block_id`*::
+
--
Id of the executed script block.
type: keyword
example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa
--
*`powershell.file.script_block_text`*::
+
--
Text of the executed script block.
type: text
example: .\a_script.ps1
--
*`powershell.process.executable_version`*::
+
--
Version of the engine hosting process executable.
type: keyword
example: 5.1.17763.1007
--
[float]
=== powershell.provider
Data related to the PowerShell engine host.
*`powershell.provider.new_state`*::
+
--
New state of the PowerShell provider.
type: keyword
example: Active
--
*`powershell.provider.name`*::
+
--
Provider name.
type: keyword
example: Variable
--
[[exported-fields-process]]
== Process fields
Expand Down
Binary file added winlogbeat/docs/images/kibana-powershell.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 7cae739

Please sign in to comment.