From 70056da36c9dc7c637247023d82e5c371efa3cae Mon Sep 17 00:00:00 2001
From: webhead404 <kvvincentvalentine@gmail.com>
Date: Mon, 30 Mar 2020 08:49:06 -0500
Subject: [PATCH] Add process.command_line to Sysmon module

Adds the process.command_line field to Sysmon module that does not split the field into multiple values.
---
 x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index 83f24193a669..ae724815085b 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -307,6 +307,7 @@ var sysmon = (function () {
             return;
         }
         evt.Put(field, winlogbeat.splitCommandLine(commandLine));
+        evt.Put("process.command_line", commandLine);
     };
 
     var splitProcessArgs = function(evt) {
@@ -468,6 +469,7 @@ var sysmon = (function () {
                 {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"},
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.Image", to: "process.executable"},
+                {from: "winlog.event_data.CommandLine", to: "process.command_line"},
                 {from: "winlog.event_data.CommandLine", to: "process.args"},
                 {from: "winlog.event_data.CurrentDirectory", to: "process.working_directory"},
                 {from: "winlog.event_data.ParentProcessGuid", to: "process.parent.entity_id"},