x-pack/winlogbeat/module/powershell: improve details regexp pattern p…

…erformance (#36178)

The details regexp pattern for the powershell data stream was improved
in the windows integration in elastic/integrations#6154 to reduce
backtracking costs that caused regexp costs to exceed the set runtime
limits. The same pattern on other data streams and in winlogbeat was not
updated. This change brings winlogbeat up to date with the change.

CHANGELOG.next.asciidoc

@@ -188,6 +188,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 
 *Winlogbeat*
 
+- Fix powershell details regexp to prevent excessive backtracking when processing command invocations. {pull}36178[36178]
 
 *Functionbeat*
 

x-pack/winlogbeat/module/powershell/ingest/powershell.yml

@@ -232,7 +232,7 @@ processors:
         field: param3
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^([^:(]+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);

x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml

@@ -284,7 +284,7 @@ processors:
         field: Payload
       source: |-
         def parseRawDetail(String raw) {
-            Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/;
+            Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/;
             Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/;
 
             def matcher = detailRegex.matcher(raw);