Windows Integrations Different For the Same Log 100+ Differences

[neu5ron]

1. Regex for Powershell Channel(s):

From Powershell Channel

integrations/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml

Line 264 in 163fd96

Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;

From Forwarded Powershell Channel

integrations/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml

Line 240 in 163fd96

Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/;

)

I would imagine the first one is the correct one per commit: 75c6fad
Also winlogbeat uses this one as well.

Same is also true for Powershell_Operational Regex

2. 40 Differences for Security Channel
   There are over 40 differences between the Security Channel log and the same log within the Forwarded Channel despite them being the same log.

3. 70 Differences for Sysmon Channel
   There are over 70 differences between the Sysmon Channel log and the same log within the Forwarded Channel despite them being the same log.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@neu5ron Can you provide examples for 2. and 3.?

[neu5ron]

2. security
   just compare these two files
   non forwarded
   forwarded

3. sysmon
   just compare these two files
   non forwarded
   forwarded
   one example
   

[efd6]

@neu5ron I have made changes to handle the cases in powershell, powershell_operational, and sysmon_operational. The case of security is between the system package and the windows package, so it's not so clear that they need to be reconciled. I will take a look.

[neu5ron]

awesome! thank you!
so the system security is the windows security channel - it's definitely confusing given the pipeline names - but in the details, they are both the same

[efd6]

This is done.