x-pack/winlogbeat/module/powershell: don't split tokens on hyphen (#2…

…8483) (#28982) (cherry picked from commit f11b9ff) Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
elastic · Nov 16, 2021 · 6e66d57 · 6e66d57
1 parent 633ac3f
commit 6e66d57
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -229,6 +229,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
 - Add ECS 1.9 new users fields {pull}26509[26509]
+- Don't split hyphenated tokens {pull}28483[28483]
 
 *Functionbeat*
 

diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml
@@ -127,6 +127,14 @@
 
         - name: script_block_text
           type: text
+          analyzer:
+            winlogbeat_powershell_script_analyzer:
+              type: pattern
+              pattern: "[\\W&&[^-]]+"
+          search_analyzer:
+            winlogbeat_powershell_script_analyzer:
+              type: pattern
+              pattern: "[\\W&&[^-]]+"
           description: >
             Text of the executed script block.
           example: ".\\a_script.ps1"

diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go