[Winlogbeat] CLI Values to ECS process.command_line

[neu5ron]

Currently in the winlogbeat modules for ECS there is a field for process.command_line which stores the entire command line. As of right now the winlogbeat modules split the command line into process.args which removes the ability to analyze the command line in its original entirety.
Currently this affects Machine Learning jobs, watcher queries, and other queries/rules in their accuracy to match the values.

The solution appears simple, just need to copy the command line value before it gets process into process.args split function.

In the winlogbeat security module copy before this line:

beats/x-pack/winlogbeat/module/security/config/winlogbeat-security.js

Line 1314 in bb70dc7

evt.Put("process.args", winlogbeat.splitCommandLine(cl));

In the winlogbeat sysmon module, copy the value to process.command_line before this line

beats/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js

Line 407 in bb70dc7

{from: "winlog.event_data.CommandLine", to: "process.args"},

or this line

beats/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js

Line 249 in bb70dc7

splitCommandLine(evt, "process.args");

This may need ported for auditbeat and filebeat too.

[neu5ron]

related in a way that may show the importance of this field and matching with EQL and endpoint elastic/ecs#647

[rw-access]

@neu5ron was this fixed in #17823?

[neu5ron]

@rw-access I dont believe so, does not appear to be extended to the Security module. Also, I think the same may still apply for any linux (or other) modules.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[neu5ron]

creating recent activity, not sure should be closed as stale - still exists.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[neu5ron]

bumping this again, still the same issue.
is it possible to just create a catch all at the end of these beats pipelines and ingest pipelines to copy process.args(joined by single white space) to process.command_line ?

@rw-access thoughts?

[rw-access]

depends on your needs, but I wouldn't recommend it if you plan on writing detection logic for that field. it wouldn't preserve any of the original quoting or escapes

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!