elastic
diff --git a/‎packages/windows/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/windows/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json‎
Lines changed: 45 additions & 0 deletions b/‎packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json‎
Lines changed: 61 additions & 0 deletions b/‎packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml‎
Lines changed: 1 addition & 0 deletions b/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml‎
Lines changed: 1 addition & 0 deletions b/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml‎
Lines changed: 1 addition & 0 deletions b/‎packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 1 addition & 0 deletions b/‎packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json‎
Lines changed: 42 additions & 0 deletions b/‎packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json‎
Lines changed: 54 additions & 0 deletions b/‎packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 1 addition & 0 deletions b/‎packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 1 addition & 0 deletions
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.2"
+ changes:
+ - description: Fix powershell error on events 40961 and 40962 (at minimum)
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/10792 
 - version: "2.0.1"
  changes:
  - description: Fix IPv6 cleanup step.
 
@@ -216,6 +216,51 @@
  },
  "version": 1
  }
+ },
+ {
+ "@timestamp": "2024-09-09T16:53:34.055Z",
+ "event": {
+ "action": "PowerShell Console Startup",
+ "code": "40961",
+ "created": "2024-09-09T17:08:14.566Z",
+ "kind": "event",
+ "provider": "Microsoft-Windows-PowerShell"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "PowerShell console is starting up",
+ "tags": [
+ "forwarded"
+ ],
+ "winlog": {
+ "activity_id": "{9b36ffb2-ffc3-0007-7f34-379bc3ffda01}",
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "DESKTOP-H1QFQE0.bensdomain.com",
+ "event_id": "40961",
+ "opcode": "Start",
+ "process": {
+ "pid": 8824,
+ "thread": {
+ "id": 1472
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": 206,
+ "task": "PowerShell Console Startup",
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 1
+ }
  }
  ]
 }
@@ -421,6 +421,67 @@
  },
  "version": 1
  }
+ },
+ {
+ "@timestamp": "2024-09-09T16:53:34.055Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "PowerShell Console Startup",
+ "category": [
+ "process"
+ ],
+ "code": "40961",
+ "created": "2024-09-09T17:08:14.566Z",
+ "kind": "event",
+ "provider": "Microsoft-Windows-PowerShell",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "vagrant",
+ "os": {
+ "family": "windows",
+ "type": "windows"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "PowerShell console is starting up",
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-18"
+ },
+ "winlog": {
+ "activity_id": "{9b36ffb2-ffc3-0007-7f34-379bc3ffda01}",
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "DESKTOP-H1QFQE0.bensdomain.com",
+ "event_id": "40961",
+ "opcode": "Start",
+ "process": {
+ "pid": 8824,
+ "thread": {
+ "id": 1472
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": "206",
+ "task": "PowerShell Console Startup",
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 1
+ }
  }
  ]
 }
@@ -449,6 +449,7 @@ processors:
  description: Remove all empty values from event_data.
  lang: painless
  source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+ if: ctx?.winlog?.event_data != null
  - remove:
  description: Remove empty event data.
  field: winlog.event_data
 
@@ -532,6 +532,7 @@ processors:
  description: Remove all empty values from event_data.
  lang: painless
  source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+ if: ctx?.winlog?.event_data != null
  - remove:
  description: Remove empty event data.
  field: winlog.event_data
 
@@ -1402,6 +1402,7 @@ processors:
  description: Remove all empty values from event_data.
  lang: painless
  source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-"));
+ if: ctx?.winlog?.event_data != null
  - remove:
  description: Remove empty event data.
  field: winlog.event_data
 
@@ -476,6 +476,7 @@ processors:
  description: Remove all empty values from event_data.
  lang: painless
  source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+ if: ctx?.winlog?.event_data != null
  - remove:
  description: Remove empty event data.
  field: winlog.event_data
 
@@ -216,6 +216,48 @@
  },
  "version": 1
  }
+ },
+ {
+ "@timestamp": "2024-09-03T15:27:45.847Z",
+ "event": {
+ "action": "PowerShell Console Startup",
+ "code": "40961",
+ "created": "2024-09-05T20:18:14.254Z",
+ "kind": "event",
+ "provider": "Microsoft-Windows-PowerShell"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "PowerShell console is starting up",
+ "winlog": {
+ "activity_id": "{3ee7a05a-f7fc-0006-f0d2-e73efcf7da01}",
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "vagrant",
+ "event_id": "40961",
+ "opcode": "Start",
+ "process": {
+ "pid": 2364,
+ "thread": {
+ "id": 8092
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": 143,
+ "task": "PowerShell Console Startup",
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 1
  }
+ }
  ]
 }
@@ -402,6 +402,60 @@
  },
  "version": 1
  }
+ },
+ {
+ "@timestamp": "2024-09-03T15:27:45.847Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "PowerShell Console Startup",
+ "category": [
+ "process"
+ ],
+ "code": "40961",
+ "created": "2024-09-05T20:18:14.254Z",
+ "kind": "event",
+ "provider": "Microsoft-Windows-PowerShell",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "PowerShell console is starting up",
+ "user": {
+ "id": "S-1-5-18"
+ },
+ "winlog": {
+ "activity_id": "{3ee7a05a-f7fc-0006-f0d2-e73efcf7da01}",
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "vagrant",
+ "event_id": "40961",
+ "opcode": "Start",
+ "process": {
+ "pid": 2364,
+ "thread": {
+ "id": 8092
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": "143",
+ "task": "PowerShell Console Startup",
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 1
+ }
  }
  ]
 }
@@ -537,6 +537,7 @@ processors:
  description: Remove all empty values from event_data.
  lang: painless
  source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals(""));
+ if: ctx?.winlog?.event_data != null
  - remove:
  description: Remove empty event data.
  field: winlog.event_data