User.id Not Populated by Powershell Module

It doesn't appear that the powershell module for Winlogbeat 7.9.2 is recording the user.id or the user.name.

Is this intended or a bug?

One example:

{
  "_index": "winlogbeat-7.9.2-2020.10.14-000001",
  "_type": "_doc",
  "_id": "Yjwza3UBFsYu-VWrDQYb",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-10-27T17:55:07.344Z",
    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.18362.1110\n\tHostId=c14b139b-215a-4f21-983c-e67106979c7c\n\tHostApplication=powershell.exe\n\tEngineVersion=5.1.18362.1110\n\tRunspaceId=98ad71a5-5237-41c2-ad32-24fdd088661f\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
    "winlog": {
      "channel": "Windows PowerShell",
      "provider_name": "PowerShell",
      "keywords": [
        "Classic"
      ],
      "opcode": "Info",
      "computer_name": "[redacted]",
      "event_id": 400,
      "record_id": 690,
      "task": "Engine Lifecycle",
      "api": "wineventlog"
    },
    "host": {
      "name": "[redacted]",
      "os": {
        "kernel": "10.0.18362.1139 (WinBuild.160101.0800)",
        "build": "18363.1139",
        "platform": "windows",
        "version": "10.0",
        "family": "windows",
        "name": "Windows 10 Enterprise Evaluation"
      },
      "id": "9bdc5154-52ee-4763-8cab-1f6c670f34d9",
      "ip": [
        "fe80::81e2:50b5:eb1d:daf2",
        "172.16.17.151"
      ],
      "mac": [
        "00:0c:29:b4:4c:e8"
      ],
      "hostname": "[redacted]",
      "architecture": "x86_64"
    },
    "log": {
      "level": "information"
    },
    "powershell": {
      "process": {
        "executable_version": "5.1.18362.1110"
      },
      "engine": {
        "new_state": "Available",
        "previous_state": "None",
        "version": "5.1.18362.1110"
      },
      "runspace_id": "98ad71a5-5237-41c2-ad32-24fdd088661f"
    },
    "event": {
      "module": "powershell",
      "category": [
        "process"
      ],
      "sequence": 13,
      "action": "Engine Lifecycle",
      "created": "2020-10-27T17:55:08.146Z",
      "code": 400,
      "type": [
        "start"
      ],
      "provider": "PowerShell",
      "kind": "event"
    },
    "process": {
      "entity_id": "c14b139b-215a-4f21-983c-e67106979c7c",
      "command_line": "powershell.exe",
      "title": "ConsoleHost",
      "args": [
        "powershell.exe"
      ],
      "args_count": 1
    },
    "ecs": {
      "version": "1.5.0"
    },
    "agent": {
      "type": "winlogbeat",
      "version": "7.9.2",
      "hostname": "[redacted]",
      "ephemeral_id": "2e280b70-00ef-4b00-bbd5-118feeab703a",
      "id": "0c1c612e-b1cd-4a47-b9f9-28f811a29630",
      "name": "[redacted]"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-27T17:55:07.344Z"
    ],
    "event.created": [
      "2020-10-27T17:55:08.146Z"
    ]
  },
  "sort": [
    1603821307344
  ]
}

Hello @variable!

First of all thanks for bringing this up :smile:

PowerShell module tries to populate user information from the events when available (not all events have user info). If it is not being populated either the event does not hold the user information or PS module is not parsing that specific event properly for some reason.

Can you provide the redacted original event as it shows in the event log?

Thanks!

Hey Marc, thanks for the response.

What do you mean by the "original event"; is that different than the JSON above?

The JSON above is the event that gets sent to elasticsearch. To be able to troubleshoot if there are any fields that are being ignored or parsed incorrectly, would be nice if we could have a look at the event as it is stored in the Windows Event Log on the host machine.

Thanks :smiley:

Ah, gotcha. Sorry 'bout that, Windows isn't my native language :grimacing:

Log Name:      Windows PowerShell
Source:        PowerShell
Date:          10/29/2020 4:53:32 PM
Event ID:      400
Task Category: Engine Lifecycle
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      [redacted]
Description:
Engine state is changed from None to Available. 

Details: 
	NewEngineState=Available
	PreviousEngineState=None

	SequenceNumber=37

	HostName=Default Host
	HostVersion=5.1.18362.1110
	HostId=e15360f5-6b6a-4131-9cc4-5e8890d4c653
	HostApplication=C:\Windows\System32\RemoteFXvGPUDisablement.exe Disable
	EngineVersion=5.1.18362.1110
	RunspaceId=9f9d4d7d-ff53-4a38-98a0-e435fc132db6
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="PowerShell" />
    <EventID Qualifiers="0">400</EventID>
    <Level>4</Level>
    <Task>4</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-10-29T16:53:32.619072600Z" />
    <EventRecordID>738</EventRecordID>
    <Channel>Windows PowerShell</Channel>
    <Computer>[redacted]</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Available</Data>
    <Data>None</Data>
    <Data>	NewEngineState=Available
	PreviousEngineState=None

	SequenceNumber=37

	HostName=Default Host
	HostVersion=5.1.18362.1110
	HostId=e15360f5-6b6a-4131-9cc4-5e8890d4c653
	HostApplication=C:\Windows\System32\RemoteFXvGPUDisablement.exe Disable
	EngineVersion=5.1.18362.1110
	RunspaceId=9f9d4d7d-ff53-4a38-98a0-e435fc132db6
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=</Data>
  </EventData>
</Event>

Elasticsearch

{
  "_index": "winlogbeat-7.9.2-2020.10.14-000001",
  "_type": "_doc",
  "_id": "matIdXUBio9VLad4xSze",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-10-29T16:53:32.619Z",
    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=37\n\n\tHostName=Default Host\n\tHostVersion=5.1.18362.1110\n\tHostId=e15360f5-6b6a-4131-9cc4-5e8890d4c653\n\tHostApplication=C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe Disable\n\tEngineVersion=5.1.18362.1110\n\tRunspaceId=9f9d4d7d-ff53-4a38-98a0-e435fc132db6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
    "powershell": {
      "engine": {
        "new_state": "Available",
        "previous_state": "None",
        "version": "5.1.18362.1110"
      },
      "runspace_id": "9f9d4d7d-ff53-4a38-98a0-e435fc132db6",
      "process": {
        "executable_version": "5.1.18362.1110"
      }
    },
    "agent": {
      "name": "[redacted]",
      "type": "winlogbeat",
      "version": "7.9.2",
      "hostname": "[redacted]",
      "ephemeral_id": "3ec00cde-7600-43c8-a64c-34692b037f08",
      "id": "0c1c612e-b1cd-4a47-b9f9-28f811a29630"
    },
    "winlog": {
      "task": "Engine Lifecycle",
      "channel": "Windows PowerShell",
      "event_id": 400,
      "api": "wineventlog",
      "opcode": "Info",
      "provider_name": "PowerShell",
      "computer_name": "[redacted]",
      "keywords": [
        "Classic"
      ],
      "record_id": 738
    },
    "log": {
      "level": "information"
    },
    "process": {
      "title": "Default Host",
      "args": [
        "C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe",
        "Disable"
      ],
      "args_count": 2,
      "entity_id": "e15360f5-6b6a-4131-9cc4-5e8890d4c653",
      "command_line": "C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe Disable"
    },
    "ecs": {
      "version": "1.5.0"
    },
    "event": {
      "created": "2020-10-29T16:55:02.604Z",
      "kind": "event",
      "category": [
        "process"
      ],
      "sequence": 37,
      "code": 400,
      "action": "Engine Lifecycle",
      "module": "powershell",
      "type": [
        "start"
      ],
      "provider": "PowerShell"
    },
    "host": {
      "os": {
        "build": "18363.1139",
        "platform": "windows",
        "version": "10.0",
        "family": "windows",
        "name": "Windows 10 Enterprise Evaluation",
        "kernel": "10.0.18362.1139 (WinBuild.160101.0800)"
      },
      "id": "9bdc5154-52ee-4763-8cab-1f6c670f34d9",
      "ip": [
        "fe80::81e2:50b5:eb1d:daf2",
        "172.16.17.151"
      ],
      "name": "[redacted]",
      "mac": [
        "00:0c:29:b4:4c:e8"
      ],
      "hostname": "[redacted]",
      "architecture": "x86_64"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-10-29T16:53:32.619Z"
    ],
    "event.created": [
      "2020-10-29T16:55:02.604Z"
    ]
  },
  "highlight": {
    "event.module": [
      "@kibana-highlighted-field@powershell@/kibana-highlighted-field@"
    ],
    "event.type": [
      "@kibana-highlighted-field@start@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1603990412619
  ]
}

Thanks!

It seems there is no user data in this event, IIRC it is usually the case with events with code 400. You might try to correlate runspace id and sequence number to find out more about the previous/following events, though.

Hope it helps!

Regards :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.