[BUG] `Message` vs. `ScriptBlockText` for Powershell rules

[ccl0utier]

Describe the bug

We seem to have a mix of fields between Message and ScriptBlockText for the Powershell rules in ESCU. If my own testing is correct, the Message field is only extracted when the Powershell Windows Event Logs are ingested in Classic Mode (renderXml=false), while ScriptBlockText is only when the XML version is (renderXml=true).

If I'm correct, this might lead some of these detections to fail depending on how the Powershell logs are ingested as a result.

As a reference, the following Powershell related Detections use Message (the others use ScriptBlockText):

• Allow Inbound Traffic In Firewall Rule
• Detect Copy of ShadowCopy with Script Block Logging
• Domain Group Discovery with Adsisearcher
• Elevated Group Discovery with PowerView
• Powershell Windows Defender Exclusion Commands
• Windows Get-AdComputer Unconstrained Delegation Discovery
• Windows PowerView Constrained Delegation Discovery
• Windows PowerView Unconstrained Delegation Discovery

Expected behavior

Do we want to standardize on ScriptBlockText? And possibly document that a requirement for these detections to work is to use the XML format for those Windows Event Logs? E.g.: renderXml = true? Or support both versions?

And/or work with the Windows Add-on team to add an explicit extraction for ScriptBlockText to the TA?

App Version:

• ESCU: latest

Additional context

Add any other context about the problem here.

[ljstella]

Not sure where your list came from, as some of those have already been using ScriptBlockText but for the one that was still based on multi-line logs, we've got an MR internally to update this and should have it merged soon.