From 6dc30e7304648d4b738f3769ea45faf9f1bb05ff Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Thu, 12 Dec 2024 10:37:02 -0700
Subject: [PATCH] more field normalization for cisagov/Malcolm#525, adding
 normalization for evtx

---
 logstash/pipelines/beats/11_beats_logs.conf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf
index 868c77293..cf91d814c 100644
--- a/logstash/pipelines/beats/11_beats_logs.conf
+++ b/logstash/pipelines/beats/11_beats_logs.conf
@@ -1013,10 +1013,19 @@ filter {
         mutate { id => "mutate_beats_evtx_error_description_to_result"
                  merge => { "[event][result]" => "[evtx][Event][EventData][Error_Description]" } }
       }
-    } else if ([evtx][Event][EventData][Error_Code]) {
+    }
+    if ([evtx][Event][EventData][Result]) {
+      mutate { id => "mutate_beats_evtx_result_to_result"
+               merge => { "[event][result]" => "[evtx][Event][EventData][Result]" } }
+    }
+    if ([evtx][Event][EventData][Error_Code]) {
       mutate { id => "mutate_beats_evtx_error_code_to_result"
                merge => { "[event][result]" => "[evtx][Event][EventData][Error_Code]" } }
     }
+    if ([evtx][Event][EventData][error_Code]) {
+      mutate { id => "mutate_beats_evtx_error_code_lc_to_result"
+               merge => { "[event][result]" => "[evtx][Event][EventData][error_Code]" } }
+    }
 
     # store the original computer name as host.name as it's probably what people will want to search by
     if ([miscbeat][winlog][Computer]) {