[8.9](backport #36178) x-pack/winlogbeat/module/powershell: improve d…

…etails regexp pattern performance (#36186)

The details regexp pattern for the powershell data stream was improved
in the windows integration in elastic/integrations#6154 to reduce
backtracking costs that caused regexp costs to exceed the set runtime
limits. The same pattern on other data streams and in winlogbeat was not
updated. This change brings winlogbeat up to date with the change.

(cherry picked from commit d8db41b)

CHANGELOG.next.asciidoc

@@ -139,6 +139,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Fix powershell details regexp to prevent excessive backtracking when processing command invocations. {pull}36178[36178]
 
 *Functionbeat*
 

x-pack/winlogbeat/module/powershell/ingest/powershell.yml

@@ -232,7 +232,7 @@ processors:
         field: param3
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^([^:(]+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);

x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml

@@ -284,7 +284,7 @@ processors:
         field: Payload
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);