Skip to content

Commit

Permalink
Map CommandLine appropriately
Browse files Browse the repository at this point in the history 
Args is an array of the exploded command line and causes many rules to misfire.
  • Loading branch information
@roysks
roysks committed Mar 30, 2021
1 parent 48265ad commit 30ab2aa
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions tools/config/winlogbeat-modules-enabled.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ fieldmappings:
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
CommandLine: process.args
CommandLine: process.command_line
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
Expand Down Expand Up @@ -125,7 +125,7 @@ fieldmappings:
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: process.parent.args
ParentCommandLine: process.parent.command_line
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
Expand Down

0 comments on commit 30ab2aa

Please sign in to comment.