Logging windows command line events; cmd and powershell. And while it's policy that no one should be entering passwords directly on the command line... well, you know.
Curious if anyone has come up with a clever way to filter/substitute for when users insist on entering passwords on the command line?
Example - something along these lines...
filter {
mutate {
gsub => [
# replace all passwords with ######
"[event_data][CommandLine]", "regex matching password", "########",
]
}
}
Maybe some regex to look for the required password complexity? I'd be surprised is someone hasn't written this already.