Hyphens in queries are ignored on Powershell Logs collected by Elastic Agent and Winlogbeat

Elastic Security Endpoint Security
,
#1

The Problem

When dealing with Powershell Logs collected by both Elastic Agent and winlogbeat, I'm dealing with the following problem:

Hyphens are ignored and contains queries don't work properly

For example:

image
image1597×705 75.1 KB

Queries in both KQL and Lucene fail to do a full match on Powershell Cmdlets

Asked Elastic on their slack, and already tried the following with no success:

  • Changing language (Tried with both KQL and Lucene)
  • Wrapping in Double quotes -> Not full match, "Get-ChromeDump" matches "Function Get-ErrorInELK{ #ChromeDump" and "Get-ChromeDump"
  • Use Wildcards -> No results
  • Use both Double quotes and wildcards -> Not full match, "*Get-ChromeDump*" matches "Function Get-ErrorInELK{ #ChromeDump" and "Get-ChromeDump"

The field is of the field type Keyword and is the only one that contains the information that I need.

Powershell Logs collected by both Elastic Agent and Winlogbeat are useless if I can't query cmdlets...There is any configuration that needs to be done to enable this?

#2

Hello!

It seems that the field powershell.file.script_block_text is of type text and it is using the standard tokenizer so hyphens are treated as word separators.

We could take a look at what alternative could be good for it instead of the current tokenizer. In the meantime, can you get that value from any other field in the event or it appears just in that one text?

#3

Hey Marc, this is the conclusion that I had too.

Gonna have to update these fields in the index template with the whitespace analyzer.

No other field contains the information, and even if we had an alternate field, it would likely have the same analyzer.

You know the implications of updating managed index templates or can point me to relevant documentation?

#4

Based on the title I assume this also applies to Elastic Agent. Elastic Agent uses a bit a different indexing strategy than winlogbeat. On how to change templates for Elastic Agent, here a few notes that could be helpful: https://github.com/elastic/beats/pull/23247/files

One way to fix this long term could be to contribute the change: https://github.com/elastic/beats/blob/ef6274d0d1e36308a333cbed69846a1bd63528ae/x-pack/winlogbeat/module/powershell/_meta/fields.yml#L128 The field could be indexed as text and keyword. Perhaps open an issue about it in the Beats repo?

1 Like