Winlogbeat process.args splits pathes with spaces

[bitnapper]

Winlogbeat splits process.args by spaces and doesnt preserve paths.

    "process": {
      "command_line": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding",
      "title": "OpsMgr PowerShell Host",
      "args": [
        "C:\\Program",
        "Files\\Microsoft",
        "Monitoring",
        "Agent\\Agent\\MonitoringHost.exe",
        "-Embedding"
      ]
    }

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[MakoWish]

I am also seeing this, so I came to open a new issue, but I see this was already reported a year and a half ago??

Before Winlogbeat used Ingest Pipelines, I handled process.args in Logstash with this:

  if [process][command_line] and ![process][args] {
    ruby {
      code => '
        event.set("[process][args]", event.get("[process][command_line]").split(/\s+(?=(?:[^\'"]*[\'"][^\'"]*[\'"])*[^\'"]*$)/))
      '
    }
  }
  if [process][parent][command_line] and ![process][parent][args] {
    ruby {
      code => '
        event.set("[parent][parent][args]", event.get("[process][parent][command_line]").split(/\s+(?=(?:[^\'"]*[\'"][^\'"]*[\'"])*[^\'"]*$)/))
      '
    }
  }

Perhaps a basic split operation more like this should be adopted instead of the very convoluted script that is currently being used in the Ingest Pipeline?

Eric

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)