From 30ab2aad753c3c9e3c56ba70c8b8c04e3ad6f91c Mon Sep 17 00:00:00 2001
From: Joshua Roys <joshua.roys@kudelskisecurity.com>
Date: Tue, 30 Mar 2021 10:15:10 -0400
Subject: [PATCH] Map CommandLine appropriately

Args is an array of the exploded command line and causes many rules to misfire.
---
 tools/config/winlogbeat-modules-enabled.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index a70d4d1a2..07bef1889 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -84,7 +84,7 @@ fieldmappings:
   CallingProcessName: winlog.event_data.CallingProcessName
   CallTrace: winlog.event_data.CallTrace
   Channel: winlog.channel
-  CommandLine: process.args
+  CommandLine: process.command_line
   ComputerName: winlog.ComputerName
   CurrentDirectory: process.working_directory
   Description: winlog.event_data.Description
@@ -125,7 +125,7 @@ fieldmappings:
   ObjectName: winlog.event_data.ObjectName
   ObjectType: winlog.event_data.ObjectType
   ObjectValueName: winlog.event_data.ObjectValueName
-  ParentCommandLine: process.parent.args
+  ParentCommandLine: process.parent.command_line
   ParentProcessName: process.parent.name
   ParentImage: process.parent.executable
   Path: winlog.event_data.Path