Stay organized with collections Save and categorize content based on your preferences.

Change log for POWERSHELL

Date Changes
2022-11-09 Enhancement:
- The field 'ProviderGuid' is mapped to 'metadata.product_deployment_id'.
- The field 'ExecutionProcessID' is mapped to 'principal.process.pid'.
- The field 'ProcessID' or 'Process ID' is mapped to 'principal.process.pid'.
- The field 'SourceModuleType' is mapped to 'principal.resource.resource_subtype'.
- The field 'SourceModuleName' is mapped to 'principal.resource.name'.
- The field 'Machine' is mapped to 'principal.asset.asset_id'.
- The field 'MessageSourceAddress' is mapped to 'principal.ip'.
- The field 'File' is mapped to 'target.process.file.full_path'.
- The field 'Host Application' or 'Command' is mapped to 'target.process.command_line'.
- The field 'Output' is mapped to 'security_result.detection_fields'.
- The field 'Message' is mapped to 'security_result.description'.
- The field 'ActivityID' is mapped to 'security_result.detection_fields'.
- Added following mapping when EventID is '4103'
- The field 'Host ID' or 'ContextInfo_Host ID' is mapped to 'target.asset.asset_id'.
- The field 'Host Name' or 'ContextInfo_Host Name' is mapped to 'target.hostname'.
- The field 'ContextInfo_Script Name' is mapped to 'target.process.file.full_path'.
- The field 'ContextInfo_Host Application' is mapped to 'target.process.command_line'.
- The field 'ContextInfo_Command Name' is mapped to 'security_result.detection_fields'.
- The field 'ContextInfo_Command Type' is mapped to 'security_result.detection_fields'.
- The field 'ContextInfo_Sequence Number' or 'Sequence Number' is mapped to 'security_result.detection_fields'.
- Added following mapping when EventID is '800', '600' or '400'
- The field 'UserId' is mapped to 'principal.user.userid'.
- The field 'HostApplication' is mapped to 'target.process.command_line'.
- The field 'HostId' is mapped to 'target.asset.asset_id'.
- The field 'HostName' is mapped to 'target.hostname'.
- The field 'ScriptName' is mapped to 'target.process.file.full_path'.
- The field 'SequenceNumber' is mapped to 'security_result.detection_fields'.
2022-10-13 Bug-Fix:
- Parsed failed logs by making the following changes.
- Added "on_error" checks on fields that failed parsing in case of no values. Fields like 'opcode', 'Host Application'.
- Added new source,'ContextInfo' for KV parsing when 'Message' is not present in the logs.
Enhancement:
- Modified event_type from "GENERIC_EVENT" to "STATUS_UPDATE".