ECS: Converting winglogbeats for Sysmon/Security to Logstash

I'm in the process of converting the winlogbeats javascript to Logstash, and I want to be sure I'm correctly interpreting some of the javascript.

In the snip below, is the winlogbeats.js template for Sysmon separating the binary from the file path and putting just the binary into the, process.executable, process.parent.executable, and ECS fields?

    var setProcessNameUsingExe = function (evt) {
        setProcessNameFromPath(evt, "process.executable", "");

    var setParentProcessNameUsingExe = function (evt) {

    var setProcessNameFromPath = function (evt, pathField, nameField) {
        var name = evt.Get(nameField);
        if (name) {
        var exe = evt.Get(pathField);
        evt.Put(nameField, **path.basename(exe)**);

Also, because the path.basename(exe) contains the 'exe' string, would it only do that for exe files?



It sets the field with the basename of the process.executable if and only if is not set.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.