elastic · marc-gr · May 28, 2020 · May 28, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -68,6 +68,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364]
 - Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
+- Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526]
 
 *Functionbeat*
 

diff --git a/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl b/winlogbeat/_meta/config/winlogbeat.event_logs.yml.tmpl
@@ -8,3 +8,9 @@ winlogbeat.event_logs:
 
   - name: ForwardedEvents
     tags: [forwarded]
+
+  - name: Windows PowerShell
+    event_id: 400, 403, 600, 800
+
+  - name: Microsoft-Windows-PowerShell/Operational
+    event_id: 4103, 4104, 4105, 4106
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -20,6 +20,7 @@ grouped in the following categories:
 * <<exported-fields-host-processor>>
 * <<exported-fields-jolokia-autodiscover>>
 * <<exported-fields-kubernetes-processor>>
+* <<exported-fields-powershell>>
 * <<exported-fields-process>>
 * <<exported-fields-security>>
 * <<exported-fields-sysmon>>
@@ -7474,6 +7475,313 @@ type: keyword
 
 --
 
+[[exported-fields-powershell]]
+== PowerShell module fields
+
+These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
+
+
+
+*`id`*::
++
+--
+Shell Id.
+
+type: keyword
+
+example: Microsoft Powershell
+
+--
+
+*`pipeline_id`*::
++
+--
+Pipeline id.
+
+type: keyword
+
+example: 1
+
+--
+
+*`runspace_id`*::
++
+--
+Runspace id.
+
+type: keyword
+
+example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
+
+--
+
+*`sequence`*::
++
+--
+Sequence number of the powershell execution.
+
+type: long
+
+example: 1
+
+--
+
+*`total`*::
++
+--
+Total number of messages in the sequence.
+
+type: long
+
+example: 10
+
+--
+
+[float]
+=== powershell.command
+
+Data related to the executed command.
+
+
+*`powershell.command.path`*::
++
+--
+Path of the executed command.
+
+type: keyword
+
+example: C:\Windows\system32\cmd.exe
+
+--
+
+*`powershell.command.name`*::
++
+--
+Name of the executed command.
+
+type: keyword
+
+example: cmd.exe
+
+--
+
+*`powershell.command.type`*::
++
+--
+Type of the executed command.
+
+type: keyword
+
+example: Application
+
+--
+
+*`powershell.command.value`*::
++
+--
+The invoked command.
+
+type: text
+
+example: Import-LocalizedData  LocalizedData -filename ArchiveResources
+
+--
+
+*`powershell.command.invocation_details`*::
++
+--
+An array of objects containing detailed information of the executed command.
+
+
+type: array
+
+--
+
+*`powershell.command.invocation_details.type`*::
++
+--
+The type of detail.
+
+type: keyword
+
+example: CommandInvocation
+
+--
+
+*`powershell.command.invocation_details.related_command`*::
++
+--
+The command to which the detail is related to.
+
+type: keyword
+
+example: Add-Type
+
+--
+
+*`powershell.command.invocation_details.name`*::
++
+--
+Only used for ParameterBinding detail type. Indicates the parameter name.
+
+
+type: keyword
+
+example: AssemblyName
+
+--
+
+*`powershell.command.invocation_details.value`*::
++
+--
+The value of the detail. The meaning of it will depend on the detail type.
+
+
+type: text
+
+example: System.IO.Compression.FileSystem
+
+--
+
+[float]
+=== powershell.connected_user
+
+Data related to the connected user executing the command.
+
+
+*`powershell.connected_user.domain`*::
++
+--
+User domain.
+
+type: keyword
+
+example: VAGRANT
+
+--
+
+*`powershell.connected_user.name`*::
++
+--
+User name.
+
+type: keyword
+
+example: vagrant
+
+--
+
+[float]
+=== powershell.engine
+
+Data related to the PowerShell engine.
+
+
+*`powershell.engine.version`*::
++
+--
+Version of the PowerShell engine version used to execute the command.
+
+type: keyword
+
+example: 5.1.17763.1007
+
+--
+
+*`powershell.engine.previous_state`*::
++
+--
+Previous state of the PowerShell engine.
+
+
+type: keyword
+
+example: Available
+
+--
+
+*`powershell.engine.new_state`*::
++
+--
+New state of the PowerShell engine.
+
+
+type: keyword
+
+example: Stopped
+
+--
+
+[float]
+=== powershell.file
+
+Data related to the executed script file.
+
+
+*`powershell.file.script_block_id`*::
++
+--
+Id of the executed script block.
+
+type: keyword
+
+example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa
+
+--
+
+*`powershell.file.script_block_text`*::
++
+--
+Text of the executed script block.
+
+
+type: text
+
+example: .\a_script.ps1
+
+--
+
+*`powershell.process.executable_version`*::
++
+--
+Version of the engine hosting process executable.
+
+type: keyword
+
+example: 5.1.17763.1007
+
+--
+
+[float]
+=== powershell.provider
+
+Data related to the PowerShell engine host.
+
+
+*`powershell.provider.new_state`*::
++
+--
+New state of the PowerShell provider.
+
+
+type: keyword
+
+example: Active
+
+--
+
+*`powershell.provider.name`*::
++
+--
+Provider name.
+
+
+type: keyword
+
+example: Variable
+
+--
+
 [[exported-fields-process]]
 == Process fields
 

diff --git a/winlogbeat/docs/images/kibana-powershell.jpg b/winlogbeat/docs/images/kibana-powershell.jpg