From 3a1e4a450c5c867c32baa6d19fdb6782d2dc9deb Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Tue, 1 Aug 2023 07:35:34 +0930
Subject: [PATCH] [8.9](backport #36178) x-pack/winlogbeat/module/powershell:
 improve details regexp pattern performance (#36186)

The details regexp pattern for the powershell data stream was improved
in the windows integration in elastic/integrations#6154 to reduce
backtracking costs that caused regexp costs to exceed the set runtime
limits. The same pattern on other data streams and in winlogbeat was not
updated. This change brings winlogbeat up to date with the change.

(cherry picked from commit d8db41b)
---
 CHANGELOG.next.asciidoc                                         | 1 +
 x-pack/winlogbeat/module/powershell/ingest/powershell.yml       | 2 +-
 .../module/powershell/ingest/powershell_operational.yml         | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index f103c8239f1..d001bc58b3d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -139,6 +139,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Fix powershell details regexp to prevent excessive backtracking when processing command invocations. {pull}36178[36178]
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml
index 2c3a3a3e85c..34f537bce36 100644
--- a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml
+++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml
@@ -232,7 +232,7 @@ processors:
         field: param3
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^([^:(]+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);
diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml
index cb7830ed304..db36f6aed99 100644
--- a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml
+++ b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml
@@ -284,7 +284,7 @@ processors:
         field: Payload
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);