[BugFix] PowerShell - Fix user.name, user.domain, and script_block_signature (#15834)

* [BugFix] PowerShell - Fix `user.name`, `user.domain`, and `script_block_signature`

* Update packages/windows/changelog.yml

* add related.hosts

* ++

Author: w0rk3r

packages/windows/changelog.yml

@@ -1,12 +1,20 @@
 # newer versions go on top
+- version: "3.2.1"
+  changes:
+    - description: |
+        Fix PowerShell pipeline to correctly populate `user.domain`, `user.name`, and `script_block_signature` fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15834
 - version: "3.2.0"
   changes:
     - description: Expose the "Perfmon Match By Parent Instance" option in Windows Perfmon (default=true). When unchecked, unique instance names are used for processes with the same name.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/15763
 - version: "3.1.3"
   changes:
-    - description: Add powershell.file.script_block_entropy and powershell.file.script_block_entropy_normalized fields.
+    - description: |
+        Add powershell.file.script_block_entropy_bits, powershell.file.script_block_surprisal_stdev,
+        powershell.file.script_block_length, and powershell.file.script_block_unique_symbols fields to improve context.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/15698
 - version: "3.1.2"

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json

@@ -5,7 +5,10 @@
             "winlog": {
                 "time_created": "2020-05-13T09:04:04.755Z",
                 "user": {
-                    "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
                 },
                 "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
                 "process": {
@@ -66,7 +69,10 @@
                 "time_created": "2020-05-15T08:11:47.897Z",
                 "level": "information",
                 "user": {
-                    "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
                 },
                 "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}"
             },
@@ -102,7 +108,10 @@
             ],
             "winlog": {
                 "user": {
-                    "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
                 },
                 "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}",
                 "channel": "Microsoft-Windows-PowerShell/Operational",
@@ -148,7 +157,7 @@
                 "event_data": {
                     "MessageNumber": "1",
                     "MessageTotal": "1",
-                    "ScriptBlockText": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1",
+                    "ScriptBlockText": "###\n# ==++==\n#\n# Copyright (c) Microsoft Corporation. All rights reserved.\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#\n###\n@{\n    GUID = \"4ae9fd46-338a-459c-8186-07f910774cb8\"\n    Author = \"Microsoft Corporation\"\n    CompanyName = \"Microsoft Corporation\"\n    Copyright = \"(C) Microsoft Corporation. All rights reserved.\"\n    HelpInfoUri = \"https://go.microsoft.com/fwlink/?linkid=2113634\"\n    ModuleVersion = \"1.4.8.1\"\n    PowerShellVersion = \"3.0\"\n    ClrVersion = \"4.0\"\n    RootModule = \"PackageManagement.psm1\"\n\tDescription = 'PackageManagement (a.k.a. OneGet) is a new way to discover and install software packages from around the web.\n It is a manager or multiplexor of existing package managers (also called package providers) that unifies Windows package management with a single Windows PowerShell interface. With PackageManagement, you can do the following.\n  - Manage a list of software repositories in which packages can be searched, acquired and installed\n  - Discover software packages\n  - Seamlessly install, uninstall, and inventory packages from one or more software repositories'\n\n    CmdletsToExport = @(\n        'Find-Package',\n        'Get-Package',\n        'Get-PackageProvider',\n        'Get-PackageSource',\n        'Install-Package',\n        'Import-PackageProvider'\n        'Find-PackageProvider'\n        'Install-PackageProvider'\n        'Register-PackageSource',\n        'Set-PackageSource',\n        'Unregister-PackageSource',\n        'Uninstall-Package'\n        'Save-Package'\n\t)\n\n\tFormatsToProcess  = @('PackageManagement.format.ps1xml')\n\n\tPrivateData = @{\n        PSData = @{\n            Tags = @('PackageManagement', 'PSEdition_Core', 'PSEdition_Desktop', 'Linux', 'Mac')\n            ProjectUri = 'https://oneget.org'\n            ReleaseNotes = @'\n## 1.4.8.1\n- Update PackageManagement's strong name signing\n\n## 1.4.8\n- Add NuGet as a source when generating nuget.config file for user in the NuGet Provider\n\n## 1.4.7\n- Update security protocol to use TLS 1.2\n- Remove catalog file\n\n## 1.4.6\n- Update `HelpInfoUri` to point to the latest content\n\n## 1.4.5\n- Bug fix for deadlock when getting parameters in an event\n\n## 1.4.4\n- Bug fix when installing modules from private feeds\n\n ## 1.4.3\n- Another bug fix when registering repositories with PowerShellGet\n\n## 1.4.2\n- Bug fix for passing credentials from PowerShellGet when registering repositories\n\n## 1.4.1\n- Bug fix for using credential provider installed in Visual Studio\n\n## 1.4\n- Allow credential persistance for registering private repositories and finding or installing packages from those repositories\n\n## 1.3.2\n- Enable bootstrap on PSCore\n- Bug fix to run on .NET Core 3.0\n\n## 1.3.1\n- Targets net452 and netstandard2.0 instead of net451, netcoreapp2.0, and netstandard1.6\n            \n## Previous releases are not included in this Changelog\n'@\n        }\n    }\n}\n\n# SIG # Begin signature block\n# MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5Bgor\n# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG\n# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCANw97w1D+bi5LY\n# 8ZEuubcA0tI0Z0h+CImFRYop+IIqQaCCDYEwggX/MIID56ADAgECAhMzAAACUosz\n# qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD\n# +nC4D7IMA1+6smM7fbSJa7o4BHfyje8PHB3w9GF223mZTG0EhBlultQkMSpV/c88\n# 9hsbwx16Cr5sY9M/lSRt4oC3qzSuTmYd6VYJ/ILt9ptrpOkaYCiXXRx8Cfz7w53w\n# Au/J8xJjNWvrKxkcc8XiUXPfGGTXujyiS2MqvztBkg6wCduFKqogmvOtQiiwQQxE\n# G6lU/rss27omoTUc41EawOr1km5y+fUS9aoYX9K8NNhFH6TSni3dp/+Hiyif1T7X\n# g0cBy4yHuYxMmRrFcmGeplW3KhXHfkJjbHaVs1QgnRfkgFuypwF5YoFWrW7Xgj+a\n# ZCDKSoYq45E4v0ryIvyu0shBoHQXREAzpBv3L9h5A9vEFQG4alCI57oSbdqJ1YIa\n# ggkTQHR2CWdB7FnQilCqqZjSnAtXYZh/RD+PX6fg1UyUUQf5ohnw951pQeKYTYHm\n# Fwut+RibzdbHEF/kLZr6SZsDupCv\n# SIG # End signature block",
                     "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa"
                 },
                 "provider_name": "Microsoft-Windows-PowerShell",
@@ -158,7 +167,10 @@
                 "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
                 "time_created": "2020-05-14T11:33:51.389Z",
                 "user": {
-                    "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
                 },
                 "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}",
                 "channel": "Microsoft-Windows-PowerShell/Operational",
@@ -255,7 +267,10 @@
                 "task": "Executing Pipeline",
                 "time_created": "2023-06-01T05:27:01.2479769Z",
                 "user": {
-                    "identifier": "S-1-5-5"
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
                 },
                 "version": 1
             }