Skip to content

[Enhancement] Add Entropy Enrichments to PowerShell events#15698

Merged
w0rk3r merged 16 commits intomainfrom
posh_entropy
Nov 6, 2025
Merged

[Enhancement] Add Entropy Enrichments to PowerShell events#15698
w0rk3r merged 16 commits intomainfrom
posh_entropy

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Oct 20, 2025
edited
Loading

Proposed commit message

Adds powershell.file.script_block_entropy_bits and powershell.file.script_block_surprisal_sd
fields computed at ingest time using Shannon entropy over Unicode characters. These fields
quantify character-level randomness and distribution uniformity of PowerShell script blocks
to provide context for obfuscation detection. Also adds script_block_length and
script_block_unique_symbols for enrichment analysis.

Summary

Related to https://github.com/elastic/ia-trade-team/issues/704

Adds four fields for script analysis at ingest time:

  • script_block_entropy_bits: Shannon entropy (0-20 bits) measuring randomness
  • script_block_surprisal_sd: Distribution uniformity of characters
  • script_block_length: Total character count
  • script_block_unique_symbols: Distinct character count

These fields help us improve and tune PowerShell obfuscation detections by providing additional context about the scripts content.

Inspired by: Painless Parsing: Shannon Entropy Calculation - Services

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@w0rk3r w0rk3r self-assigned this Oct 20, 2025
@w0rk3r w0rk3r requested a review from a team as a code owner October 20, 2025 17:46
@w0rk3r w0rk3r added the enhancement New feature or request label Oct 20, 2025
@w0rk3r w0rk3r requested a review from a team as a code owner October 20, 2025 17:46
@w0rk3r w0rk3r added the Integration:windows Windows label Oct 20, 2025
@w0rk3r w0rk3r requested review from a team, faec and rdner October 20, 2025 17:46
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Oct 20, 2025
@elasticmachine
Copy link

elasticmachine commented Oct 20, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

efd6
efd6 reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you can also calculate the entropy variance with very little extra work.

@w0rk3r w0rk3r marked this pull request as draft October 20, 2025 21:02
@w0rk3r w0rk3r changed the title [Enhancement] Add Script Entropy Fields to PowerShell events [Enhancement] Add Entropy Enrichments to PowerShell events Oct 28, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 28, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@w0rk3r w0rk3r marked this pull request as ready for review October 28, 2025 19:14
@w0rk3r w0rk3r requested a review from efd6 October 28, 2025 19:14
efd6
efd6 reviewed Oct 28, 2025
View reviewed changes
@w0rk3r w0rk3r requested a review from efd6 October 28, 2025 22:19
efd6
efd6 approved these changes Oct 28, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after nits (but not a code owner).

@w0rk3r @efd6
Update packages/windows/data_stream/forwarded/elasticsearch/ingest_pi…
13c32b3 
…peline/powershell_operational.yml

Co-authored-by: Dan Kortschak <[email protected]>
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Oct 29, 2025
@elasticmachine
Copy link

elasticmachine commented Oct 29, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@w0rk3r @efd6
Update packages/windows/data_stream/forwarded/elasticsearch/ingest_pi…
618da7e 
…peline/powershell_operational.yml

Co-authored-by: Dan Kortschak <[email protected]>
@elasticmachine
Copy link

elasticmachine commented Oct 29, 2025

💚 Build Succeeded

History

cc @w0rk3r

@w0rk3r w0rk3r merged commit 4bbefe6 into main Nov 6, 2025
7 checks passed
@w0rk3r w0rk3r deleted the posh_entropy branch November 6, 2025 19:12
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 6, 2025

Package windows - 3.1.3 containing this change is available at https://epr.elastic.co/package/windows/3.1.3/

@w0rk3r w0rk3r mentioned this pull request Nov 7, 2025
Merged
5 tasks
tehbooom pushed a commit to tehbooom/integrations that referenced this pull request Nov 19, 2025
@w0rk3r @efd6
[Enhancement] Add Entropy Enrichments to PowerShell events (elastic#1…
a34055a 
…5698)

* [Enhancement] Add Script Entropy Fields to PowerShell events

* Update default.yml

* Drop normalized entropy

* Test

* v2

* v2 - forwarded data stream

* Apply suggestions

* Update packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml

Co-authored-by: Dan Kortschak <[email protected]>

* Update README.md

* update expected json files - script_block_surprisal_stdev

* Update packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml

Co-authored-by: Dan Kortschak <[email protected]>

* Update packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml

* Update default.yml

---------

Co-authored-by: Dan Kortschak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

@faec faec faec approved these changes

@nfritts nfritts nfritts approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@w0rk3r w0rk3r

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:windows Windows Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@w0rk3r @elasticmachine @faec @nfritts @efd6 @pierrehilbert @andrewkroh