Winlogbeat: fix powershell unprefixed fields in fields.yml (elastic#1…

…9003) Closes elastic#18984 (cherry picked from commit 498c7ce)
marc-gr · Jun 5, 2020 · 87bc0e1 · 87bc0e1
1 parent a340d58
commit 87bc0e1
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 11 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -71,6 +71,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
 - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526]
+- Fix Powershell processing of downgraded engine events. {pull}18966[18966]
+- Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984]
 
 *Functionbeat*
 

diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -7482,7 +7482,7 @@ These are the event fields specific to the module for the Microsoft-Windows-Powe
 
 
 
-*`id`*::
+*`powershell.id`*::
 +
 --
 Shell Id.
@@ -7493,7 +7493,7 @@ example: Microsoft Powershell
 
 --
 
-*`pipeline_id`*::
+*`powershell.pipeline_id`*::
 +
 --
 Pipeline id.
@@ -7504,7 +7504,7 @@ example: 1
 
 --
 
-*`runspace_id`*::
+*`powershell.runspace_id`*::
 +
 --
 Runspace id.
@@ -7515,7 +7515,7 @@ example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
 
 --
 
-*`sequence`*::
+*`powershell.sequence`*::
 +
 --
 Sequence number of the powershell execution.
@@ -7526,7 +7526,7 @@ example: 1
 
 --
 
-*`total`*::
+*`powershell.total`*::
 +
 --
 Total number of messages in the sequence.

diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml
@@ -5,27 +5,27 @@
   release: beta
   fields:
 
-    - name: id
+    - name: powershell.id
       type: keyword
       description: Shell Id.
       example: Microsoft Powershell
 
-    - name: pipeline_id
+    - name: powershell.pipeline_id
       type: keyword
       description: Pipeline id.
       example: "1"
 
-    - name: runspace_id
+    - name: powershell.runspace_id
       type: keyword
       description: Runspace id.
       example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb"
 
-    - name: sequence
+    - name: powershell.sequence
       type: long
       description: Sequence number of the powershell execution.
       example: 1
 
-    - name: total
+    - name: powershell.total
       type: long
       description: Total number of messages in the sequence.
       example: 10

diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go