This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Kubernetes fields Process fields »
Elastic Docs Winlogbeat Reference [master] Exported fields

PowerShell module fields

PowerShell module fields

These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.

powershell.id

Shell Id.

type: keyword

example: Microsoft Powershell

powershell.pipeline_id

Pipeline id.

type: keyword

example: 1

powershell.runspace_id

Runspace id.

type: keyword

example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb

powershell.sequence

Sequence number of the powershell execution.

type: long

example: 1

powershell.total

Total number of messages in the sequence.

type: long

example: 10

powershell.command

Data related to the executed command.

powershell.command.path

Path of the executed command.

type: keyword

example: C:\Windows\system32\cmd.exe

powershell.command.name

Name of the executed command.

type: keyword

example: cmd.exe

powershell.command.type

Type of the executed command.

type: keyword

example: Application

powershell.command.value

The invoked command.

type: text

example: Import-LocalizedData LocalizedData -filename ArchiveResources

powershell.command.invocation_details

An array of objects containing detailed information of the executed command.

type: array

powershell.command.invocation_details.type

The type of detail.

type: keyword

example: CommandInvocation

powershell.command.invocation_details.related_command

The command to which the detail is related to.

type: keyword

example: Add-Type

powershell.command.invocation_details.name

Only used for ParameterBinding detail type. Indicates the parameter name.

type: keyword

example: AssemblyName

powershell.command.invocation_details.value

The value of the detail. The meaning of it will depend on the detail type.

type: text

example: System.IO.Compression.FileSystem

powershell.connected_user

Data related to the connected user executing the command.

powershell.connected_user.domain

User domain.

type: keyword

example: VAGRANT

powershell.connected_user.name

User name.

type: keyword

example: vagrant

powershell.engine

Data related to the PowerShell engine.

powershell.engine.version

Version of the PowerShell engine version used to execute the command.

type: keyword

example: 5.1.17763.1007

powershell.engine.previous_state

Previous state of the PowerShell engine.

type: keyword

example: Available

powershell.engine.new_state

New state of the PowerShell engine.

type: keyword

example: Stopped

powershell.file

Data related to the executed script file.

powershell.file.script_block_id

Id of the executed script block.

type: keyword

example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa

powershell.file.script_block_text

Text of the executed script block.

type: text

example: .\a_script.ps1

powershell.process.executable_version

Version of the engine hosting process executable.

type: keyword

example: 5.1.17763.1007

powershell.provider

Data related to the PowerShell engine host.

powershell.provider.new_state

New state of the PowerShell provider.

type: keyword

example: Active

powershell.provider.name

Provider name.

type: keyword

example: Variable

« Kubernetes fields Process fields »