Adding tests and addressing PR comments.

elastic · Sep 10, 2024 · 8ef0da9 · 8ef0da9
1 parent b455b5a
commit 8ef0da9
Show file tree

Hide file tree

Showing 10 changed files with 208 additions and 1 deletion.
diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json
@@ -216,6 +216,51 @@
                 },
                 "version": 1
             }
+        },
+        {
+            "@timestamp": "2024-09-09T16:53:34.055Z",
+            "event": {
+                "action": "PowerShell Console Startup",
+                "code": "40961",
+                "created": "2024-09-09T17:08:14.566Z",
+                "kind": "event",
+                "provider": "Microsoft-Windows-PowerShell"
+            },
+            "host": {
+                "name": "vagrant"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "PowerShell console is starting up",
+            "tags": [
+                "forwarded"
+            ],
+            "winlog": {
+                "activity_id": "{9b36ffb2-ffc3-0007-7f34-379bc3ffda01}",
+                "api": "wineventlog",
+                "channel": "Microsoft-Windows-PowerShell/Operational",
+                "computer_name": "DESKTOP-H1QFQE0.bensdomain.com",
+                "event_id": "40961",
+                "opcode": "Start",
+                "process": {
+                    "pid": 8824,
+                    "thread": {
+                        "id": 1472
+                    }
+                },
+                "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+                "provider_name": "Microsoft-Windows-PowerShell",
+                "record_id": 206,
+                "task": "PowerShell Console Startup",
+                "user": {
+                    "domain": "NT AUTHORITY",
+                    "identifier": "S-1-5-18",
+                    "name": "SYSTEM",
+                    "type": "Well Known Group"
+                },
+                "version": 1
+            }
         }
     ]
 }
diff --git a/...indows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json b/...indows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json
@@ -421,6 +421,67 @@
                 },
                 "version": 1
             }
+        },
+        {
+            "@timestamp": "2024-09-09T16:53:34.055Z",
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "action": "PowerShell Console Startup",
+                "category": [
+                    "process"
+                ],
+                "code": "40961",
+                "created": "2024-09-09T17:08:14.566Z",
+                "kind": "event",
+                "provider": "Microsoft-Windows-PowerShell",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "name": "vagrant",
+                "os": {
+                    "family": "windows",
+                    "type": "windows"
+                }
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "PowerShell console is starting up",
+            "tags": [
+                "forwarded"
+            ],
+            "user": {
+                "id": "S-1-5-18"
+            },
+            "winlog": {
+                "activity_id": "{9b36ffb2-ffc3-0007-7f34-379bc3ffda01}",
+                "api": "wineventlog",
+                "channel": "Microsoft-Windows-PowerShell/Operational",
+                "computer_name": "DESKTOP-H1QFQE0.bensdomain.com",
+                "event_id": "40961",
+                "opcode": "Start",
+                "process": {
+                    "pid": 8824,
+                    "thread": {
+                        "id": 1472
+                    }
+                },
+                "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+                "provider_name": "Microsoft-Windows-PowerShell",
+                "record_id": "206",
+                "task": "PowerShell Console Startup",
+                "user": {
+                    "domain": "NT AUTHORITY",
+                    "identifier": "S-1-5-18",
+                    "name": "SYSTEM",
+                    "type": "Well Known Group"
+                },
+                "version": 1
+            }
         }
     ]
 }
diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml
@@ -449,6 +449,7 @@ processors:
       description: Remove all empty values from event_data.
       lang: painless
       source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+      if: ctx?.winlog?.event_data != null
   - remove:
       description: Remove empty event data.
       field: winlog.event_data

diff --git a/...es/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/...es/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml
@@ -532,6 +532,7 @@ processors:
       description: Remove all empty values from event_data.
       lang: painless
       source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+      if: ctx?.winlog?.event_data != null
   - remove:
       description: Remove empty event data.
       field: winlog.event_data

diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml
@@ -1402,6 +1402,7 @@ processors:
       description: Remove all empty values from event_data.
       lang: painless
       source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-"));
+      if: ctx?.winlog?.event_data != null
   - remove:
       description: Remove empty event data.
       field: winlog.event_data

diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml
@@ -476,6 +476,7 @@ processors:
       description: Remove all empty values from event_data.
       lang: painless
       source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+      if: ctx?.winlog?.event_data != null
   - remove:
       description: Remove empty event data.
       field: winlog.event_data

diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json
@@ -216,6 +216,48 @@
                 },
                 "version": 1
             }
+        },
+        {
+        "@timestamp": "2024-09-03T15:27:45.847Z",
+        "event": {
+            "action": "PowerShell Console Startup",
+            "code": "40961",
+            "created": "2024-09-05T20:18:14.254Z",
+            "kind": "event",
+            "provider": "Microsoft-Windows-PowerShell"
+        },
+        "host": {
+            "name": "vagrant"
+        },
+        "log": {
+            "level": "information"
+        },
+        "message": "PowerShell console is starting up",
+        "winlog": {
+            "activity_id": "{3ee7a05a-f7fc-0006-f0d2-e73efcf7da01}",
+            "api": "wineventlog",
+            "channel": "Microsoft-Windows-PowerShell/Operational",
+            "computer_name": "vagrant",
+            "event_id": "40961",
+            "opcode": "Start",
+            "process": {
+                "pid": 2364,
+                "thread": {
+                    "id": 8092
+                }
+            },
+            "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+            "provider_name": "Microsoft-Windows-PowerShell",
+            "record_id": 143,
+            "task": "PowerShell Console Startup",
+            "user": {
+                "domain": "NT AUTHORITY",
+                "identifier": "S-1-5-18",
+                "name": "SYSTEM",
+                "type": "Well Known Group"
+            },
+            "version": 1
         }
+    }
     ]
 }
diff --git a/...dows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/...dows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json
@@ -402,6 +402,60 @@
                 },
                 "version": 1
             }
+        },
+        {
+            "@timestamp": "2024-09-03T15:27:45.847Z",
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "action": "PowerShell Console Startup",
+                "category": [
+                    "process"
+                ],
+                "code": "40961",
+                "created": "2024-09-05T20:18:14.254Z",
+                "kind": "event",
+                "provider": "Microsoft-Windows-PowerShell",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "name": "vagrant"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "PowerShell console is starting up",
+            "user": {
+                "id": "S-1-5-18"
+            },
+            "winlog": {
+                "activity_id": "{3ee7a05a-f7fc-0006-f0d2-e73efcf7da01}",
+                "api": "wineventlog",
+                "channel": "Microsoft-Windows-PowerShell/Operational",
+                "computer_name": "vagrant",
+                "event_id": "40961",
+                "opcode": "Start",
+                "process": {
+                    "pid": 2364,
+                    "thread": {
+                        "id": 8092
+                    }
+                },
+                "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+                "provider_name": "Microsoft-Windows-PowerShell",
+                "record_id": "143",
+                "task": "PowerShell Console Startup",
+                "user": {
+                    "domain": "NT AUTHORITY",
+                    "identifier": "S-1-5-18",
+                    "name": "SYSTEM",
+                    "type": "Well Known Group"
+                },
+                "version": 1
+            }
         }
     ]
 }
diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
@@ -1406,6 +1406,7 @@ processors:
       description: Remove all empty values from event_data.
       lang: painless
       source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-"));
+      if: ctx?.winlog?.event_data != null
   - remove:
       description: Remove empty event data.
       field: winlog.event_data

diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 2.0.1
+version: 2.0.2
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: