From 3926e2388fdc1ee684e29796a2721969b8d55312 Mon Sep 17 00:00:00 2001
From: John Connor McLaughlin <connor@johns-mbp.lan>
Date: Tue, 4 May 2021 15:23:47 -0400
Subject: [PATCH 1/2] Added ScriptBlockText as a field for winlogbeat configs
 as per
 https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html

---
 tools/config/winlogbeat-modules-enabled.yml | 1 +
 tools/config/winlogbeat-old.yml             | 1 +
 tools/config/winlogbeat.yml                 | 1 +
 3 files changed, 3 insertions(+)

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 7e91eb360..2a4bf2621 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -135,6 +135,7 @@ fieldmappings:
   Product: winlog.event_data.Product
   Properties: winlog.event_data.Properties
   RuleName: winlog.event_data.RuleName
+  ScriptBlockText: winlog.event_data.ScriptBlockText
   SecurityID: winlog.event_data.SecurityID
   ServiceFileName: winlog.event_data.ServiceFileName
   ServiceName: winlog.event_data.ServiceName
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 34fef1fdd..789d5f2b8 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -119,6 +119,7 @@ fieldmappings:
   ProcessName: event_data.ProcessName
   Product: event_data.Product
   Properties: event_data.Properties
+  ScriptBlockText: winlog.event_data.ScriptBlockText
   SecurityID: event_data.SecurityID
   ServiceFileName: event_data.ServiceFileName
   ServiceName: event_data.ServiceName
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 9bb3c5559..1b1f4bdea 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -125,6 +125,7 @@ fieldmappings:
   Properties: winlog.event_data.Properties
   RuleName: winlog.event_data.RuleName
   SAMAccountName: winlog.event_data.SamAccountName
+  ScriptBlockText: winlog.event_data.ScriptBlockText
   SecurityID: winlog.event_data.SecurityID
   ServiceFileName: winlog.event_data.ServiceFileName
   ServiceName: winlog.event_data.ServiceName

From 1574d263ccfb4be2b640f78e26532201d8485661 Mon Sep 17 00:00:00 2001
From: JohnConnorRF <connor.mclaughlin@recordedfuture.com>
Date: Wed, 5 May 2021 10:25:36 -0400
Subject: [PATCH 2/2] Updated Winlogbeat Modules config based on:
 https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178

---
 tools/config/winlogbeat-modules-enabled.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 2a4bf2621..a3034b7c5 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -135,7 +135,7 @@ fieldmappings:
   Product: winlog.event_data.Product
   Properties: winlog.event_data.Properties
   RuleName: winlog.event_data.RuleName
-  ScriptBlockText: winlog.event_data.ScriptBlockText
+  ScriptBlockText: powershell.file.script_block_text
   SecurityID: winlog.event_data.SecurityID
   ServiceFileName: winlog.event_data.ServiceFileName
   ServiceName: winlog.event_data.ServiceName