diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c98617e3b15..30c65ae5563 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -68,6 +68,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364] - Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364] - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364] +- Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] *Functionbeat* diff --git a/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl b/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl index 64a01bb8352..14b454e6050 100644 --- a/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl +++ b/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl @@ -8,3 +8,9 @@ winlogbeat.event_logs: - name: ForwardedEvents tags: [forwarded] + + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 092ad7516d1..8f54133b3b4 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -20,6 +20,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -7474,6 +7475,313 @@ type: keyword -- +[[exported-fields-powershell]] +== PowerShell module fields + +These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. + + + +*`id`*:: ++ +-- +Shell Id. + +type: keyword + +example: Microsoft Powershell + +-- + +*`pipeline_id`*:: ++ +-- +Pipeline id. + +type: keyword + +example: 1 + +-- + +*`runspace_id`*:: ++ +-- +Runspace id. + +type: keyword + +example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb + +-- + +*`sequence`*:: ++ +-- +Sequence number of the powershell execution. + +type: long + +example: 1 + +-- + +*`total`*:: ++ +-- +Total number of messages in the sequence. + +type: long + +example: 10 + +-- + +[float] +=== powershell.command + +Data related to the executed command. + + +*`powershell.command.path`*:: ++ +-- +Path of the executed command. + +type: keyword + +example: C:\Windows\system32\cmd.exe + +-- + +*`powershell.command.name`*:: ++ +-- +Name of the executed command. + +type: keyword + +example: cmd.exe + +-- + +*`powershell.command.type`*:: ++ +-- +Type of the executed command. + +type: keyword + +example: Application + +-- + +*`powershell.command.value`*:: ++ +-- +The invoked command. + +type: text + +example: Import-LocalizedData LocalizedData -filename ArchiveResources + +-- + +*`powershell.command.invocation_details`*:: ++ +-- +An array of objects containing detailed information of the executed command. + + +type: array + +-- + +*`powershell.command.invocation_details.type`*:: ++ +-- +The type of detail. + +type: keyword + +example: CommandInvocation + +-- + +*`powershell.command.invocation_details.related_command`*:: ++ +-- +The command to which the detail is related to. + +type: keyword + +example: Add-Type + +-- + +*`powershell.command.invocation_details.name`*:: ++ +-- +Only used for ParameterBinding detail type. Indicates the parameter name. + + +type: keyword + +example: AssemblyName + +-- + +*`powershell.command.invocation_details.value`*:: ++ +-- +The value of the detail. The meaning of it will depend on the detail type. + + +type: text + +example: System.IO.Compression.FileSystem + +-- + +[float] +=== powershell.connected_user + +Data related to the connected user executing the command. + + +*`powershell.connected_user.domain`*:: ++ +-- +User domain. + +type: keyword + +example: VAGRANT + +-- + +*`powershell.connected_user.name`*:: ++ +-- +User name. + +type: keyword + +example: vagrant + +-- + +[float] +=== powershell.engine + +Data related to the PowerShell engine. + + +*`powershell.engine.version`*:: ++ +-- +Version of the PowerShell engine version used to execute the command. + +type: keyword + +example: 5.1.17763.1007 + +-- + +*`powershell.engine.previous_state`*:: ++ +-- +Previous state of the PowerShell engine. + + +type: keyword + +example: Available + +-- + +*`powershell.engine.new_state`*:: ++ +-- +New state of the PowerShell engine. + + +type: keyword + +example: Stopped + +-- + +[float] +=== powershell.file + +Data related to the executed script file. + + +*`powershell.file.script_block_id`*:: ++ +-- +Id of the executed script block. + +type: keyword + +example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa + +-- + +*`powershell.file.script_block_text`*:: ++ +-- +Text of the executed script block. + + +type: text + +example: .\a_script.ps1 + +-- + +*`powershell.process.executable_version`*:: ++ +-- +Version of the engine hosting process executable. + +type: keyword + +example: 5.1.17763.1007 + +-- + +[float] +=== powershell.provider + +Data related to the PowerShell engine host. + + +*`powershell.provider.new_state`*:: ++ +-- +New state of the PowerShell provider. + + +type: keyword + +example: Active + +-- + +*`powershell.provider.name`*:: ++ +-- +Provider name. + + +type: keyword + +example: Variable + +-- + [[exported-fields-process]] == Process fields diff --git a/winlogbeat/docs/images/kibana-powershell.jpg b/winlogbeat/docs/images/kibana-powershell.jpg new file mode 100644 index 00000000000..29c13553eb4 Binary files /dev/null and b/winlogbeat/docs/images/kibana-powershell.jpg differ diff --git a/winlogbeat/docs/modules/powershell.asciidoc b/winlogbeat/docs/modules/powershell.asciidoc new file mode 100644 index 00000000000..76faee1ebe3 --- /dev/null +++ b/winlogbeat/docs/modules/powershell.asciidoc @@ -0,0 +1,61 @@ +[[winlogbeat-module-powershell]] +[role="xpack"] +== PowerShell Module + +beta[] + +The PowerShell module processes event log records from the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. + +The module has transformations for the following event IDs: + +* 400 - Engine state is changed from None to Available. +* 403 - Engine state is changed from Available to Stopped. +* 600 - A Provider is Started. +* 800 - Pipeline executed. +* 4103 - Module logging. +* 4104 - Script block logging. +* 4105 - Command started. +* 4106 - Command completed. + +[float] +=== Configuration + +By default, module and script block logging (event ID's 410x) are disabled, to enable them you can do so through "Windows Powershell" GPO settings and set "Turn on Module Logging" and "Turn on PowerShell Script Block Logging" to enabled. + +Alternatively they can be enabled setting the following registry values: + +[source] +---- +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging: EnableModuleLogging = 1 +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames: * = * +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockLogging = 1 +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockInvocationLogging = 1 +---- + +[source,yaml] +---- +winlogbeat.event_logs: + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + processors: + - script: + lang: javascript + id: powershell-operational + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js +---- + +[float] +=== Example dashboard + +This module comes with a sample dashboard. + +[role="screenshot"] +image::./images/kibana-powershell.jpg[] diff --git a/winlogbeat/docs/modules_list.asciidoc b/winlogbeat/docs/modules_list.asciidoc index ebfce1496a3..7383fefc164 100644 --- a/winlogbeat/docs/modules_list.asciidoc +++ b/winlogbeat/docs/modules_list.asciidoc @@ -2,11 +2,13 @@ This file is generated! See scripts/mage/docs.go or run 'mage docs'. //// + * <<{beatname_lc}-module-powershell,Powershell>> * <<{beatname_lc}-module-security,Security>> * <<{beatname_lc}-module-sysmon,Sysmon>> -- +include::./modules/powershell.asciidoc[] include::./modules/security.asciidoc[] include::./modules/sysmon.asciidoc[] diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index e65186e8413..019f328e159 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -34,6 +34,12 @@ winlogbeat.event_logs: - name: ForwardedEvents tags: [forwarded] + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + # ================================== General =================================== diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml index d1308e2a2ed..999557a8bed 100644 --- a/winlogbeat/winlogbeat.yml +++ b/winlogbeat/winlogbeat.yml @@ -29,6 +29,12 @@ winlogbeat.event_logs: - name: ForwardedEvents tags: [forwarded] + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + # ====================== Elasticsearch template settings ======================= setup.template.settings: diff --git a/x-pack/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl b/x-pack/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl index 6c29d94f6db..bf3d2423a78 100644 --- a/x-pack/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl +++ b/x-pack/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl @@ -18,6 +18,22 @@ winlogbeat.event_logs: id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - name: ForwardedEvents tags: [forwarded] processors: @@ -31,3 +47,13 @@ winlogbeat.event_logs: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - script: + when.equals.winlog.channel: Windows PowerShell + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - script: + when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js diff --git a/x-pack/winlogbeat/include/list.go b/x-pack/winlogbeat/include/list.go index ae74b2a2dfd..af2071e249e 100644 --- a/x-pack/winlogbeat/include/list.go +++ b/x-pack/winlogbeat/include/list.go @@ -8,6 +8,7 @@ package include import ( // Import packages that need to register themselves. + _ "github.com/elastic/beats/v7/x-pack/winlogbeat/module/powershell" _ "github.com/elastic/beats/v7/x-pack/winlogbeat/module/security" _ "github.com/elastic/beats/v7/x-pack/winlogbeat/module/sysmon" ) diff --git a/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc b/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc new file mode 100644 index 00000000000..76faee1ebe3 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc @@ -0,0 +1,61 @@ +[[winlogbeat-module-powershell]] +[role="xpack"] +== PowerShell Module + +beta[] + +The PowerShell module processes event log records from the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. + +The module has transformations for the following event IDs: + +* 400 - Engine state is changed from None to Available. +* 403 - Engine state is changed from Available to Stopped. +* 600 - A Provider is Started. +* 800 - Pipeline executed. +* 4103 - Module logging. +* 4104 - Script block logging. +* 4105 - Command started. +* 4106 - Command completed. + +[float] +=== Configuration + +By default, module and script block logging (event ID's 410x) are disabled, to enable them you can do so through "Windows Powershell" GPO settings and set "Turn on Module Logging" and "Turn on PowerShell Script Block Logging" to enabled. + +Alternatively they can be enabled setting the following registry values: + +[source] +---- +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging: EnableModuleLogging = 1 +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames: * = * +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockLogging = 1 +HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockInvocationLogging = 1 +---- + +[source,yaml] +---- +winlogbeat.event_logs: + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + processors: + - script: + lang: javascript + id: powershell-operational + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js +---- + +[float] +=== Example dashboard + +This module comes with a sample dashboard. + +[role="screenshot"] +image::./images/kibana-powershell.jpg[] diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml new file mode 100644 index 00000000000..b1aba35a180 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml @@ -0,0 +1,153 @@ +- key: powershell + title: PowerShell module + description: > + These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. + release: beta + fields: + + - name: id + type: keyword + description: Shell Id. + example: Microsoft Powershell + + - name: pipeline_id + type: keyword + description: Pipeline id. + example: "1" + + - name: runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" + + - name: sequence + type: long + description: Sequence number of the powershell execution. + example: 1 + + - name: total + type: long + description: Total number of messages in the sequence. + example: 10 + + - name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + + - name: type + type: keyword + description: Type of the executed command. + example: Application + + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + example: AssemblyName + + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + example: System.IO.Compression.FileSystem + + - name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + + - name: name + type: keyword + description: User name. + example: vagrant + + - name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + example: Available + + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + example: Stopped + + - name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + + - name: script_block_text + type: text + description: > + Text of the executed script block. + example: ".\\a_script.ps1" + + - name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" + + - name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + example: Active + + - name: name + type: keyword + description: > + Provider name. + example: Variable diff --git a/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg b/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg new file mode 100644 index 00000000000..29c13553eb4 Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg differ diff --git a/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json b/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json new file mode 100644 index 00000000000..29dcda9a181 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json @@ -0,0 +1,2366 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview dashboard por powershell module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "fa41e799-b6b3-49ec-a11c-3f20231a4a79", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "fa41e799-b6b3-49ec-a11c-3f20231a4a79", + "panelRefName": "panel_0", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "65ce6b63-6ce0-4094-ab23-189126fc169f", + "w": 7, + "x": 13, + "y": 0 + }, + "panelIndex": "65ce6b63-6ce0-4094-ab23-189126fc169f", + "panelRefName": "panel_1", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "314e6f55-a05a-4ae3-ab76-bcae7f2074ab", + "w": 8, + "x": 20, + "y": 0 + }, + "panelIndex": "314e6f55-a05a-4ae3-ab76-bcae7f2074ab", + "panelRefName": "panel_2", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "a1f161f6-1abe-4177-9ede-4d1984f5a963", + "w": 7, + "x": 28, + "y": 0 + }, + "panelIndex": "a1f161f6-1abe-4177-9ede-4d1984f5a963", + "panelRefName": "panel_3", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "6b7ed122-22f3-4e9d-89eb-8de92c0d2033", + "w": 4, + "x": 35, + "y": 0 + }, + "panelIndex": "6b7ed122-22f3-4e9d-89eb-8de92c0d2033", + "panelRefName": "panel_4", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "d536f6a7-ad28-4a32-9319-9e0b983828bf", + "w": 4, + "x": 39, + "y": 0 + }, + "panelIndex": "d536f6a7-ad28-4a32-9319-9e0b983828bf", + "panelRefName": "panel_5", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 6, + "i": "eda6d08f-b45e-448a-bf9f-afa5516d4b4b", + "w": 4, + "x": 43, + "y": 0 + }, + "panelIndex": "eda6d08f-b45e-448a-bf9f-afa5516d4b4b", + "panelRefName": "panel_6", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "56d2dd76-6fec-422b-96e9-22791b0c5f0c", + "w": 10, + "x": 13, + "y": 6 + }, + "panelIndex": "56d2dd76-6fec-422b-96e9-22791b0c5f0c", + "panelRefName": "panel_7", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5", + "w": 12, + "x": 23, + "y": 6 + }, + "panelIndex": "3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5", + "panelRefName": "panel_8", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "a8c00572-667b-4e39-8b0c-10be56fbadd5", + "w": 12, + "x": 35, + "y": 6 + }, + "panelIndex": "a8c00572-667b-4e39-8b0c-10be56fbadd5", + "panelRefName": "panel_9", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "e8a57cba-14d2-4cd9-a727-f5e30165f6ba", + "w": 13, + "x": 0, + "y": 8 + }, + "panelIndex": "e8a57cba-14d2-4cd9-a727-f5e30165f6ba", + "panelRefName": "panel_10", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "8ae39cfa-cb06-45eb-880e-b749c3355d61", + "w": 12, + "x": 23, + "y": 13 + }, + "panelIndex": "8ae39cfa-cb06-45eb-880e-b749c3355d61", + "panelRefName": "panel_11", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "ef92d192-b56d-476c-b640-e226679ed178", + "w": 12, + "x": 35, + "y": 13 + }, + "panelIndex": "ef92d192-b56d-476c-b640-e226679ed178", + "panelRefName": "panel_12", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "b15dcac5-3616-4b41-8abb-cb28398b16f4", + "w": 13, + "x": 0, + "y": 16 + }, + "panelIndex": "b15dcac5-3616-4b41-8abb-cb28398b16f4", + "panelRefName": "panel_13", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "23af61c8-6a45-4d7d-9905-8ed265328130", + "w": 10, + "x": 13, + "y": 16 + }, + "panelIndex": "23af61c8-6a45-4d7d-9905-8ed265328130", + "panelRefName": "panel_14", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "390068ed-b7fb-4ec1-87d5-e89f7cc82e04", + "w": 12, + "x": 23, + "y": 20 + }, + "panelIndex": "390068ed-b7fb-4ec1-87d5-e89f7cc82e04", + "panelRefName": "panel_15", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "45724dca-fea2-4f3b-af79-cf89bb12a31b", + "w": 12, + "x": 35, + "y": 20 + }, + "panelIndex": "45724dca-fea2-4f3b-af79-cf89bb12a31b", + "panelRefName": "panel_16", + "version": "7.6.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "7f0c4a51-d972-42a5-ba0a-d3de814c7440", + "w": 47, + "x": 0, + "y": 27 + }, + "panelIndex": "7f0c4a51-d972-42a5-ba0a-d3de814c7440", + "panelRefName": "panel_17", + "version": "7.6.0" + } + ], + "timeRestore": false, + "title": "[Winlogbeat powershell] Overview", + "version": 1 + }, + "id": "c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "78874900-9f30-11ea-bef1-95118e62a7c1", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "e64ff750-9f28-11ea-bef1-95118e62a7c1", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "d27dea70-9f32-11ea-bef1-95118e62a7c1", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "70751050-9f33-11ea-bef1-95118e62a7c1", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_16", + "type": "visualization" + }, + { + "id": "11a61760-9f27-11ea-bef1-95118e62a7c1", + "name": "panel_17", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzczLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Connected users [Winlogbeat powershell]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User", + "field": "powershell.connected_user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "4", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Host count", + "field": "host.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "User", + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + }, + { + "accessor": 2, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of host.name", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Connected users [Winlogbeat powershell]", + "type": "table" + } + }, + "id": "9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc0LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Total engine started [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "event.code: 400" + }, + "label": "" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "bucket": { + "accessor": 0, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "metrics": [ + { + "accessor": 1, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Total engine started [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc1LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Total commands [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "powershell.command.name: * " + }, + "label": "Commands" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "bucket": { + "accessor": 0, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "metrics": [ + { + "accessor": 1, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Total commands [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc2LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Total remote commands [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "process.title:\"ServerRemoteHost\" " + }, + "label": "Remote commands" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "bucket": { + "accessor": 0, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "metrics": [ + { + "accessor": 1, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Total remote commands [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "78874900-9f30-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc3LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Unique users [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique users", + "field": "related.user" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique users [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "e64ff750-9f28-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc4LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Unique engine versions [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique versions", + "field": "powershell.engine.version" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique engine versions [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzc5LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Unique hosts [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique hosts", + "field": "host.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 32, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique hosts [Winlogbeat powershell]", + "type": "metric" + } + }, + "id": "92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzgwLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Engine versions ran by host [Winlogbeat powershell]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Host", + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "3", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Version count", + "field": "powershell.engine.version" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "Host", + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + }, + { + "accessor": 2, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Version count", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Engine versions ran by host [Winlogbeat powershell]", + "type": "table" + } + }, + "id": "e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzgxLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Engine versions [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Engine version", + "field": "powershell.engine.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Engine versions [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzgyLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Host processes [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "process.title", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "process.title: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Host processes [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzgzLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Users [Winlogbeat powershell]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Host count", + "field": "host.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "User", + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + }, + { + "accessor": 2, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of host.name", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Users [Winlogbeat powershell]", + "type": "table" + } + }, + "id": "3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg0LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Event type [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Event type", + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "event.code: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Event type [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "d27dea70-9f32-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg1LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Event Levels [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "log.level", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "log.level: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Event Levels [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg2LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Engine and Command started[Winlogbeat powershell]", + "uiStateJSON": { + "vis": { + "colors": { + "*": "#EAB839", + "Engine stopped": "#BF1B00" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-1d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "4", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "event.code: \"400\" " + }, + "label": "Engine started" + }, + { + "input": { + "language": "kuery", + "query": "event.code: \"4105\" " + }, + "label": "Command started" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "filters", + "format": {}, + "label": "filters", + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm" + } + }, + "label": "@timestamp per 30 minutes", + "params": { + "bounds": { + "max": "2020-05-26T09:14:29.996Z", + "min": "2020-05-25T09:14:29.996Z" + }, + "date": true, + "format": "HH:mm", + "interval": "PT30M", + "intervalESUnit": "m", + "intervalESValue": 30 + } + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "defaultYExtents": false, + "mode": "normal", + "setYExtents": false, + "type": "log" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Engine and Command started[Winlogbeat powershell]", + "type": "line" + } + }, + "id": "7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg3LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Top active hosts [Winlogbeat powershell]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [], + "metrics": [ + { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top active hosts [Winlogbeat powershell]", + "type": "table" + } + }, + "id": "70751050-9f33-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg4LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "powershell.command.invocation_details.type", + "negate": false, + "params": { + "query": "CommandInvocation" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "powershell.command.invocation_details.type": "CommandInvocation" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Top Invoked Commands [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "powershell.command.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "powershell.command.invocation_details.related_command: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top Invoked Commands [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "Wzg5LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" " + } + } + }, + "title": "Started providers [Winlogbeat powershell]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "powershell.provider.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://192.168.1.48:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "powershell.provider.name: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": false, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Started providers [Winlogbeat powershell]", + "type": "pie" + } + }, + "id": "c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzkwLDFd" + }, + { + "attributes": { + "columns": [ + "powershell.runspace_id", + "powershell.pipeline_id", + "process.args", + "powershell.command.invocation_details" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "(winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" ) and (process.args : * or powershell.command.invocation_details.related_command: * )" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Details [Winlogbeat powershell]", + "version": 1 + }, + "id": "11a61760-9f27-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-05-26T12:55:23.284Z", + "version": "WzkxLDFd" + } + ], + "version": "7.6.0" + } diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js new file mode 100644 index 00000000000..7bf8c6afd35 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -0,0 +1,626 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var powershell = (function () { + var path = require("path"); + var processor = require("processor"); + var winlogbeat = require("winlogbeat"); + + var normalizeCommonFieldNames = new processor.Convert({ + fields: [ + { + from: "winlog.event_data.Engine Version", + to: "winlog.event_data.EngineVersion", + }, + { + from: "winlog.event_data.Pipeline ID", + to: "winlog.event_data.PipelineId", + }, + { + from: "winlog.event_data.Runspace ID", + to: "winlog.event_data.RunspaceId", + }, + { + from: "winlog.event_data.Host Version", + to: "winlog.event_data.HostVersion", + }, + { + from: "winlog.event_data.Script Name", + to: "winlog.event_data.ScriptName", + }, + { + from: "winlog.event_data.Path", + to: "winlog.event_data.ScriptName", + }, + { + from: "winlog.event_data.Command Path", + to: "winlog.event_data.CommandPath", + }, + { + from: "winlog.event_data.Command Name", + to: "winlog.event_data.CommandName", + }, + { + from: "winlog.event_data.Command Type", + to: "winlog.event_data.CommandType", + }, + { + from: "winlog.event_data.User", + to: "winlog.event_data.UserId", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + + // Builds a dissect tokenizer. + // + // - chunks: number of chunks dissect needs to look for. + // - delimiter: indicates what is the delimiter between chunks, + // in addition to `\n` which is already expected. + // - sep: separator between key value pairs. + // + // example: + // For a string like "Foo=Bar\n\tBar=Baz", chunks: 2, delimiter: '\t', sep: '=' + var buildNewlineSpacedTokenizer = function (chunks, delimiter, sep) { + var tokenizer = ""; + for (var i = 0; i < chunks; i++) { + if (i !== 0) { + tokenizer += "\n%{}"; + } + tokenizer += delimiter+"%{*p"+i+"}"+sep+"%{&p"+i+"}"; + } + return tokenizer; + }; + + var dissectField = function (fromField, targetPrefix, chunks, delimiter, sep) { + return new processor.Dissect({ + field: fromField, + target_prefix: targetPrefix, + tokenizer: buildNewlineSpacedTokenizer(chunks, delimiter, sep), + fail_on_error: false, + }); + }; + + var dissect4xxAnd600 = function (evt) { + dissectField("winlog.event_data.param3", "winlog.event_data", 15, "\t", "=").Run(evt); + + // these fields contain redundant information. + evt.Delete("winlog.event_data.param1"); + evt.Delete("winlog.event_data.param2"); + evt.Delete("winlog.event_data.param3"); + }; + + var dissect800Detail = function (evt) { + dissectField("winlog.event_data.param2", "winlog.event_data", 13, "\t", "=").Run(evt); + + // these fields contain redundant information. + evt.Delete("winlog.event_data.param1"); + evt.Delete("winlog.event_data.param2"); + }; + + var dissect4103 = function (evt) { + dissectField("winlog.event_data.ContextInfo", "winlog.event_data", 16, " ", " = ").Run(evt); + + // these fields contain redundant information. + evt.Delete("winlog.event_data.ContextInfo"); + evt.Delete("winlog.event_data.Severity"); + }; + + var addEngineVersion = function (evt) { + var version = evt.Get("winlog.event_data.EngineVersion"); + evt.Delete("winlog.event_data.EngineVersion"); + if (!version) { + return; + } + + evt.Put("powershell.engine.version", version); + }; + + var addPipelineID = function (evt) { + var id = evt.Get("winlog.event_data.PipelineId"); + evt.Delete("winlog.event_data.PipelineId"); + if (!id) { + return; + } + + evt.Put("powershell.pipeline_id", id); + }; + + var addRunspaceID = function (evt) { + var id = evt.Get("winlog.event_data.RunspaceId"); + evt.Delete("winlog.event_data.RunspaceId"); + if (!id) { + return; + } + + evt.Put("powershell.runspace_id", id); + }; + + var addScriptBlockID = function (evt) { + var id = evt.Get("winlog.event_data.ScriptBlockId"); + evt.Delete("winlog.event_data.ScriptBlockId"); + if (!id) { + return; + } + + evt.Put("powershell.file.script_block_id", id); + }; + + var addScriptBlockText = function (evt) { + var text = evt.Get("winlog.event_data.ScriptBlockText"); + evt.Delete("winlog.event_data.ScriptBlockText"); + if (!text) { + return; + } + + evt.Put("powershell.file.script_block_text", text); + }; + + var splitCommandLine = function (evt, source, target) { + var commandLine = evt.Get(source); + if (!commandLine) { + return; + } + evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + }; + + var addProcessArgs = function (evt) { + splitCommandLine(evt, "process.command_line", "process.args"); + var args = evt.Get("process.args"); + if (args.length > 0) { + evt.Put("process.args_count", args.length); + } + }; + + var addExecutableVersion = function (evt) { + var version = evt.Get("winlog.event_data.HostVersion"); + evt.Delete("winlog.event_data.HostVersion"); + if (!version) { + return; + } + + evt.Put("powershell.process.executable_version", version); + }; + + var addFileInfo = function (evt) { + var scriptName = evt.Get("winlog.event_data.ScriptName"); + evt.Delete("winlog.event_data.ScriptName"); + if (!scriptName) { + return; + } + + evt.Put("file.path", scriptName); + evt.Put("file.name", path.basename(scriptName)); + evt.Put("file.directory", path.dirname(scriptName)); + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(scriptName); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var addCommandValue = function (evt) { + var value = evt.Get("winlog.event_data.CommandLine") + evt.Delete("winlog.event_data.CommandLine"); + if (!value) { + return; + } + + evt.Put("powershell.command.value", value.trim()); + }; + + var addCommandPath = function (evt) { + var commandPath = evt.Get("winlog.event_data.CommandPath"); + evt.Delete("winlog.event_data.CommandPath"); + if (!commandPath) { + return; + } + + evt.Put("powershell.command.path", commandPath); + }; + + var addCommandName = function (evt) { + var commandName = evt.Get("winlog.event_data.CommandName"); + evt.Delete("winlog.event_data.CommandName"); + if (!commandName) { + return; + } + + evt.Put("powershell.command.name", commandName); + }; + + var addCommandType = function (evt) { + var commandType = evt.Get("winlog.event_data.CommandType"); + evt.Delete("winlog.event_data.CommandType"); + if (!commandType) { + return; + } + + evt.Put("powershell.command.type", commandType); + }; + + var detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + var parameterBindingRegex = /^.*name\=(.+);\s*value\=(.+)$/ + + // Parses a command invocation detail raw line, and converts it to an object, based on its type. + // + // - for unexpectedly formatted ones: {value: "the raw line as it is"} + // - for all: + // * related_command: describes to what command it is related to + // * value: the value for that detail line + // * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + // - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + var parseRawDetail = function (raw) { + var matches = detailRegex.exec(raw); + if (!matches || matches.length !== 4) { + return {value: raw}; + } + + if (matches[1] !== "ParameterBinding") { + return {type: matches[1], related_command: matches[2], value: matches[3]}; + } + + var nameValMatches = parameterBindingRegex.exec(matches[3]); + if (!nameValMatches || nameValMatches.length !== 3) { + return {value: matches[3]}; + } + + return { + type: matches[1], + related_command: matches[2], + name: nameValMatches[1], + value: nameValMatches[2], + }; + }; + + var addCommandInvocationDetails = function (evt, from) { + var rawDetails = evt.Get(from); + if (!rawDetails) { + return; + } + + var details = []; + rawDetails.split("\n").forEach(function (raw) { + details.push(parseRawDetail(raw)); + }); + + if (details.length === 0) { + return; + } + + evt.Delete(from); + evt.Put("powershell.command.invocation_details", details); + }; + + var addCommandInvocationDetailsForEvent800 = function (evt) { + addCommandInvocationDetails(evt, "winlog.event_data.param3"); + }; + + var addCommandInvocationDetailsForEvent4103 = function (evt) { + addCommandInvocationDetails(evt, "winlog.event_data.Payload"); + }; + + var addUser = function (evt) { + var userParts = evt.Get("winlog.event_data.UserId").split("\\"); + evt.Delete("winlog.event_data.UserId"); + if (userParts.length === 2) { + evt.Delete("user"); + evt.Put("user.domain", userParts[0]); + evt.Put("user.name", userParts[1]); + evt.AppendTo("related.user", userParts[1]); + evt.Delete("winlog.event_data.UserId"); + } + }; + + var addConnectedUser = function (evt) { + var userParts = evt.Get("winlog.event_data.Connected User").split("\\"); + evt.Delete("winlog.event_data.Connected User"); + if (userParts.length === 2) { + evt.Put("powershell.connected_user.domain", userParts[0]); + evt.Put("powershell.connected_user.name", userParts[1]); + evt.AppendTo("related.user", userParts[1]); + } + }; + + var removeEmptyEventData = function (evt) { + var eventData = evt.Get("winlog.event_data"); + if (eventData && Object.keys(eventData).length === 0) { + evt.Delete("winlog.event_data"); + } + }; + + var event4xxAnd600Common = new processor.Chain() + .Add(dissect4xxAnd600) + .Convert({ + fields: [ + { + from: "winlog.event_data.SequenceNumber", + to: "event.sequence", + type: "long", + }, + { + from: "winlog.event_data.NewEngineState", + to: "powershell.engine.new_state", + }, + { + from: "winlog.event_data.PreviousEngineState", + to: "powershell.engine.previous_state", + }, + { + from: "winlog.event_data.NewProviderState", + to: "powershell.provider.new_state", + }, + { + from: "winlog.event_data.ProviderName", + to: "powershell.provider.name", + }, + { + from: "winlog.event_data.HostId", + to: "process.entity_id", + }, + { + from: "winlog.event_data.HostApplication", + to: "process.command_line", + }, + { + from: "winlog.event_data.HostName", + to: "process.title", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addEngineVersion) + .Add(addPipelineID) + .Add(addRunspaceID) + .Add(addProcessArgs) + .Add(addExecutableVersion) + .Add(addFileInfo) + .Add(addCommandValue) + .Add(addCommandPath) + .Add(addCommandName) + .Add(addCommandType) + .Add(removeEmptyEventData) + .Build(); + + var event400 = new processor.Chain() + .AddFields({ + fields: { + category: ["process"], + type: ["start"], + }, + target: "event", + }) + .Add(event4xxAnd600Common) + .Build() + + var event403 = new processor.Chain() + .AddFields({ + fields: { + category: ["process"], + type: ["end"], + }, + target: "event", + }) + .Add(event4xxAnd600Common) + .Build() + + var event600 = new processor.Chain() + .AddFields({ + fields: { + category: ["process"], + type: ["info"], + }, + target: "event", + }) + .Add(event4xxAnd600Common) + .Build() + + var event800 = new processor.Chain() + .Add(dissect800Detail) + .AddFields({ + fields: { + category: ["process"], + type: ["info"], + }, + target: "event", + }) + .Convert({ + fields: [ + { + from: "winlog.event_data.SequenceNumber", + to: "event.sequence", + type: "long", + }, + { + from: "winlog.event_data.HostId", + to: "process.entity_id", + }, + { + from: "winlog.event_data.HostApplication", + to: "process.command_line", + }, + { + from: "winlog.event_data.HostName", + to: "process.title", + }, + { + from: "winlog.event_data.DetailTotal", + to: "powershell.total", + type: "long", + }, + { + from: "winlog.event_data.DetailSequence", + to: "powershell.sequence", + type: "long", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addEngineVersion) + .Add(addPipelineID) + .Add(addRunspaceID) + .Add(addProcessArgs) + .Add(addExecutableVersion) + .Add(addFileInfo) + .Add(addCommandValue) + .Add(addCommandPath) + .Add(addCommandName) + .Add(addCommandType) + .Add(addUser) + .Add(addCommandInvocationDetailsForEvent800) + .Add(removeEmptyEventData) + .Build(); + + var event4103 = new processor.Chain() + .Add(dissect4103) + .AddFields({ + fields: { + category: ["process"], + type: ["info"], + }, + target: "event", + }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Sequence Number", + to: "event.sequence", + type: "long", + }, + { + from: "winlog.event_data.Host ID", + to: "process.entity_id", + }, + { + from: "winlog.event_data.Host Application", + to: "process.command_line", + }, + { + from: "winlog.event_data.Host Name", + to: "process.title", + }, + { + from: "winlog.event_data.Shell ID", + to: "powershell.id", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(normalizeCommonFieldNames) + .Add(addEngineVersion) + .Add(addPipelineID) + .Add(addRunspaceID) + .Add(addProcessArgs) + .Add(addExecutableVersion) + .Add(addFileInfo) + .Add(addCommandValue) + .Add(addCommandPath) + .Add(addCommandName) + .Add(addCommandType) + .Add(addUser) + .Add(addConnectedUser) + .Add(addCommandInvocationDetailsForEvent4103) + .Add(removeEmptyEventData) + .Build(); + + var event4104 = new processor.Chain() + .AddFields({ + fields: { + category: ["process"], + type: ["info"], + }, + target: "event", + }) + .Convert({ + fields: [ + { + from: "winlog.event_data.MessageNumber", + to: "powershell.sequence", + type: "long", + }, + { + from: "winlog.event_data.MessageTotal", + to: "powershell.total", + type: "long", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(normalizeCommonFieldNames) + .Add(addFileInfo) + .Add(addScriptBlockID) + .Add(addScriptBlockText) + .Add(removeEmptyEventData) + .Build(); + + var event4105And4106Common = new processor.Chain() + .Add(addRunspaceID) + .Add(addScriptBlockID) + .Add(removeEmptyEventData) + .Build(); + + var event4105 = new processor.Chain() + .Add(event4105And4106Common) + .AddFields({ + fields: { + category: ["process"], + type: ["start"], + }, + target: "event", + }) + .Build(); + + var event4106 = new processor.Chain() + .Add(event4105And4106Common) + .AddFields({ + fields: { + category: ["process"], + type: ["end"], + }, + target: "event", + }) + .Build(); + + return { + 400: event400.Run, + 403: event403.Run, + 600: event600.Run, + 800: event800.Run, + 4103: event4103.Run, + 4104: event4104.Run, + 4105: event4105.Run, + 4106: event4106.Run, + + process: function(evt) { + var eventId = evt.Get("winlog.event_id"); + var processor = this[eventId]; + if (processor === undefined) { + return; + } + evt.Put("event.module", "powershell"); + processor(evt); + }, + }; +})(); + +function process(evt) { + return powershell.process(evt); +} diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go new file mode 100644 index 00000000000..928c8c2172c --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package powershell + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("winlogbeat", "powershell", asset.ModuleFieldsPri, AssetPowershell); err != nil { + panic(err) + } +} + +// AssetPowershell returns asset data. +// This is the base64 encoded gzipped contents of module/powershell. +func AssetPowershell() string { + return "eJy8V0Fv6zYMvudXEO9ur2nT1yWHB3Rv2BBga4u26y4BAtqiY62y5Ely0uzXD5LsNK7tNUmL9VAgFsXvI/mRtCN4pu0MSrUhbXISYgRguRU0gzv37ME9g0KxStAIgJFJNS8tV3IG30YAAI85GQLUBDYnoDVJCxknwQyYklKe8RSs8ofBDWRK+5+/81QrozIb/cklUxsTvUL+cFuSRoeDAlAyqE32WQm1MvEIQJMgNDSDhCyOoEafjTy9CCQWNAPO/E8Auy1p5qLeKN08a4UVnM9ZXB/SCxalS8iObyAR0tUCKXlJgktaHo52V18B3gX8Mv7S9q8raUpMj/F/X1/p9T/JcHp2NWHR5BKTaEKXF9F0PL2MaDqe/jjG9DxJkjcUDP1dkUyphS+UXPWmsjYGWRUJaVCZL/yr2oBeKK2ccYfcuI1rlUVxEOijs9xDLMgYXJEBLj16E0EX8exNNXc041QVBcp20ldaVWUfgZ/RohMlWmKN9EOcxKD21IA3WoX6b4eNNt897C9zV0po8ybFQ3jt+n+fLRZ1Yy0WZmssFRfni0VasJheqK78Pi33/1haN1jQcbSG8R3gsfiP2/I4/OuyFDz1w6fLYI2i6lKw9GIH8XMCLtfq+R3YeVEqbaPfVIqC/0PMywjaP6OMC3JE4FqnOV/TPRlV6ZRMl6nDDFEsGVnkwnRoo9a4HeL9be8A4FoGa5dJlfxFqTWQKmmRSy5XEBCIAZeZ0oWHHU76AVzjk0qdkzd0yMFPb6a/Bx7zHehBhOqOXrZnwVHc6qtuKGxynuY+PcE/cLM3M/p1yVjkxHwQ21M6tV3xWym2UBlifmHfocaCLOmfuGSvFfeOY5hL5jqGTJjvja2n1x+LMVQkYuuGw0HxHN937Whc+r2PRpW1PvxBQehVrDLgFjZcCGBUkmSg5H6NfLB94Tz42RnPb+Pvqig1GeNW2i9cUDj5j8UiJaVOVpUhffp+2flxFdPNWpWr+vCgncNUgVweK5o/HF642puap+tf769vHj9nl3iwQVGtcaVR2sFkk1xxSacnee/dM7h6L6Nr0k4Ix0b5FK41Su3ANn5Dd1rVTNi+YrcS9OUyHsfjq6uvF/H47OyqZ8GWmtZcVWZpLNoPDpC72hd4X4PR9M+HNXKBiegZDpI2n8HuhjanEHuwqiyJDWrMLehPeE0MduC8vSeyYLpMhEqfXz8MDs7KnHX2dA3uPQ7o6Iyds4RhdHXxdRxNpudfI5xOWMSmhCxjyeQiwx51tai+md1HD3R6sScwjxcLXAazuDRvP7D2CllqlZIxcfDtpLhst/O7n15v2rju3VwZP5hr//Dqv/t91tuu/VzXnH1kf3RnjOP5nvT+h1ZsQuufEqnl674R8eGXn7sadnjZPKHmfkD9GwAA//9fhizL" +} diff --git a/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go b/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go new file mode 100644 index 00000000000..46c4f463f40 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" + + // Register required processors. + _ "github.com/elastic/beats/v7/libbeat/cmd/instance" + _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" +) + +// Ignore these fields because they can be different on different versions +// of windows. +var ignoreFields = []string{ + "message", +} + +func TestPowerShell(t *testing.T) { + module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-powershell.js", + module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx new file mode 100644 index 00000000000..7f3ed398d2d Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json new file mode 100644 index 00000000000..fff87ba0efa --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json @@ -0,0 +1,175 @@ +[ + { + "@timestamp": "2020-05-14T07:00:30.8914235Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 400, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", + "title": "ServerRemoteHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 400, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1492, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T07:01:14.3715076Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 400, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "056a5045-a7bb-49c6-9a9d-2ea95acea751" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "83c6a631-910d-4530-bec2-18b2d0fc380a", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 400, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1511, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T11:32:51.9892568Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 400, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "24067d05-e98a-4fbb-9cda-020e4c65017d" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\patata.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1", + "entity_id": "f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 400, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1579, + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx new file mode 100644 index 00000000000..4129d245b10 Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json new file mode 100644 index 00000000000..12d2723b596 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json @@ -0,0 +1,179 @@ +[ + { + "@timestamp": "2020-05-14T15:31:22.4269238Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 403, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 33, + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "6f14a54e-5992-42dd-b38c-68830a28b1b6" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 403, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1687, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:11:47.932007Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 403, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 37, + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 403, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1706, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:28:53.6266982Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 403, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 37, + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "8228a4bd-3125-4d1a-997b-3a4df8c085f2" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-executionpolicy", + "bypass", + "-encodedCommand", + "IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA=", + "-inputFormat", + "xml", + "-outputFormat", + "text" + ], + "args_count": 9, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text", + "entity_id": "f9cd0d65-6665-4b88-9142-f03a2d20f8b8", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 403, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1766, + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx new file mode 100644 index 00000000000..fc1f1b83818 Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json new file mode 100644 index 00000000000..e040dd0d8f4 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json @@ -0,0 +1,224 @@ +[ + { + "@timestamp": "2020-05-15T08:11:47.8979495Z", + "event": { + "action": "Executing Pipeline", + "category": [ + "process" + ], + "code": 4103, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "cmd.exe", + "type": "CommandInvocation", + "value": "\"cmd.exe\"" + }, + { + "related_command": "Out-Null", + "type": "CommandInvocation", + "value": "\"Out-Null\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Out-Null", + "type": "ParameterBinding", + "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" + } + ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", + "type": "Application" + }, + "connected_user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4103, + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 3984, + "thread": { + "id": 3616 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 3885, + "task": "Executing Pipeline", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:13:06.7032939Z", + "event": { + "action": "Executing Pipeline", + "category": [ + "process" + ], + "code": 4103, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 22, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Resolve-Path", + "type": "CommandInvocation", + "value": "\"Resolve-Path\"" + }, + { + "name": "\"ErrorAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"WarningAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"InformationAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"Verbose\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"False\"" + }, + { + "name": "\"Debug\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"False\"" + }, + { + "name": "\"Path\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"" + } + ], + "name": "Resolve-Path", + "type": "Cmdlet" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "9", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4103, + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 5032, + "thread": { + "id": 4160 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 3917, + "task": "Executing Pipeline", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx new file mode 100644 index 00000000000..513fa5863ec Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json new file mode 100644 index 00000000000..5926c0f789e --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json @@ -0,0 +1,111 @@ +[ + { + "@timestamp": "2020-05-14T11:33:51.3892662Z", + "event": { + "action": "Execute a Remote Command", + "category": [ + "process" + ], + "code": 4104, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4104, + "opcode": "On create calls", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 3580, + "task": "Execute a Remote Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.3938848Z", + "event": { + "action": "Execute a Remote Command", + "category": [ + "process" + ], + "code": 4104, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": [ + "info" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\Desktop", + "extension": "ps1", + "name": "patata.ps1", + "path": "C:\\Users\\vagrant\\Desktop\\patata.ps1" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f5521cbd-656e-4296-b74d-9ffb4eec23b0" + }, + "sequence": 1, + "total": 1 + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4104, + "opcode": "On create calls", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 3582, + "task": "Execute a Remote Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx new file mode 100644 index 00000000000..d9cd9cd9e82 Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json new file mode 100644 index 00000000000..2cbd24255ea --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json @@ -0,0 +1,52 @@ +[ + { + "@timestamp": "2020-05-13T09:04:04.7552325Z", + "event": { + "action": "Starting Command", + "category": [ + "process" + ], + "code": 4105, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4105, + "opcode": "On create calls", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 790, + "task": "Starting Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx new file mode 100644 index 00000000000..bb6d27a927e Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json new file mode 100644 index 00000000000..e598bb408ee --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json @@ -0,0 +1,52 @@ +[ + { + "@timestamp": "2020-05-13T10:40:32.5957152Z", + "event": { + "action": "Stopping Command", + "category": [ + "process" + ], + "code": 4106, + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" + }, + "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": 4106, + "opcode": "On create calls", + "process": { + "pid": 4776, + "thread": { + "id": 5092 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": 933, + "task": "Stopping Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx new file mode 100644 index 00000000000..d45dd627aea Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json new file mode 100644 index 00000000000..10682faa9c2 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json @@ -0,0 +1,119 @@ +[ + { + "@timestamp": "2020-05-13T13:21:43.1831809Z", + "event": { + "action": "Provider Lifecycle", + "category": [ + "process" + ], + "code": 600, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 35, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 600, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1089, + "task": "Provider Lifecycle" + } + }, + { + "@timestamp": "2020-05-13T13:25:04.6564269Z", + "event": { + "action": "Provider Lifecycle", + "category": [ + "process" + ], + "code": 600, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 1, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Registry", + "new_state": "Started" + } + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "44b8d66c-f5a2-4abb-ac7d-6db73990a6d3", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 600, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1266, + "task": "Provider Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx new file mode 100644 index 00000000000..01d0ef8246c Binary files /dev/null and b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json new file mode 100644 index 00000000000..505a11b48af --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json @@ -0,0 +1,363 @@ +[ + { + "@timestamp": "2020-02-26T09:37:40.4872415Z", + "event": { + "action": "Pipeline Execution Details", + "category": [ + "process" + ], + "code": 800, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 17, + "type": [ + "info" + ] + }, + "file": { + "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", + "extension": "psm1", + "name": "Microsoft.PowerShell.Archive.psm1", + "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" + }, + "host": { + "name": "vagrant-2019" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Add-Type", + "type": "CommandInvocation", + "value": "\"Add-Type\"" + }, + { + "name": "\"AssemblyName\"", + "related_command": "Add-Type", + "type": "ParameterBinding", + "value": "\"System.IO.Compression.FileSystem\"" + } + ], + "value": "Add-Type -AssemblyName System.IO.Compression.FileSystem" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "1", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "powershell", + "-executionpolicy", + "bypass", + "\u0026", + "{", + "if", + "(Test-Path", + "variable:global:ProgressPreference){set-variable", + "-name", + "variable:global:ProgressPreference", + "-value", + "'SilentlyContinue'};.", + "c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1;", + "\u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1';", + "exit", + "$LastExitCode", + "}" + ], + "args_count": 17, + "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }", + "entity_id": "ac3c99ce-7983-4996-807e-6a689eaba50b", + "title": "ConsoleHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT-2019", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant-2019", + "event_id": 800, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 191, + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.3769931Z", + "event": { + "action": "Pipeline Execution Details", + "category": [ + "process" + ], + "code": 800, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 135, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Set-StrictMode", + "type": "CommandInvocation", + "value": "\"Set-StrictMode\"" + }, + { + "name": "\"Version\"", + "related_command": "Set-StrictMode", + "type": "ParameterBinding", + "value": "\"1.0\"" + } + ], + "value": "\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 800, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1843, + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.393089Z", + "event": { + "action": "Pipeline Execution Details", + "category": [ + "process" + ], + "code": 800, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 141, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Import-LocalizedData", + "type": "CommandInvocation", + "value": "\"Import-LocalizedData\"" + }, + { + "name": "\"FileName\"", + "related_command": "Import-LocalizedData", + "type": "ParameterBinding", + "value": "\"ArchiveResources\"" + }, + { + "name": "\"BindingVariable\"", + "related_command": "Import-LocalizedData", + "type": "ParameterBinding", + "value": "\"LocalizedData\"" + }, + { + "related_command": "Import-LocalizedData", + "type": "NonTerminatingError", + "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + } + ], + "value": "Import-LocalizedData LocalizedData -filename ArchiveResources" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 800, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1846, + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.393089Z", + "event": { + "action": "Pipeline Execution Details", + "category": [ + "process" + ], + "code": 800, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 143, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Out-Default", + "type": "CommandInvocation", + "value": "\"Out-Default\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Out-Default", + "type": "ParameterBinding", + "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + } + ] + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 800, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1847, + "task": "Pipeline Execution Details" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 55fced4e1bf..40bd93a8cce 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -43,6 +43,22 @@ winlogbeat.event_logs: id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - name: ForwardedEvents tags: [forwarded] processors: @@ -56,6 +72,16 @@ winlogbeat.event_logs: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - script: + when.equals.winlog.channel: Windows PowerShell + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - script: + when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js # ================================== General =================================== diff --git a/x-pack/winlogbeat/winlogbeat.yml b/x-pack/winlogbeat/winlogbeat.yml index bb852a289db..b346ede616c 100644 --- a/x-pack/winlogbeat/winlogbeat.yml +++ b/x-pack/winlogbeat/winlogbeat.yml @@ -38,6 +38,22 @@ winlogbeat.event_logs: id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + processors: + - script: + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - name: ForwardedEvents tags: [forwarded] processors: @@ -51,6 +67,16 @@ winlogbeat.event_logs: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + - script: + when.equals.winlog.channel: Windows PowerShell + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js + - script: + when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational + lang: javascript + id: powershell + file: ${path.home}/module/powershell/config/winlogbeat-powershell.js # ====================== Elasticsearch template settings =======================