Hello All,
We’ve had this fix in place for a while, but I noticed when checking open issues that an enhancement request existed to add process.args_count to the Elastic Agent integrations.
I’ve reviewed the code for both the ingest pipeline for Elastic Agent and for Winlogbeat and the fix would be the same. That being said, we have it working live for Winlogbeat, so I figured I’d open a PR for what I know is working and then suggest another similar PR for Elastic Agent.
It’s PR 47266.
I’ll recap the TL;DR I put into the PR here as well for ease of reference:
I reviewed the ingest pipeline used for Sysmon and the Script processor that implements the "Windows-like SplitCommandLine" logic. Lines 542 to 546 implement the logic for Sysmon, so I adapted those lines into the correct order of operations defined in the Security ingest pipeline, inserted at line 3718.
I couldn’t figure out how to apply labels, so I just want to make sure I submitted the PR correctly since it’s my first one.
I’d appreciate if an Elastic Team Member could review and let me know.
Thank you!