[windows.powershell_operational] Handle ContextInfo containing multi-line values

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.2.3"
+  changes:
+    - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16013
 - version: "3.2.2"
   changes:
     - description: |

packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json

@@ -49,10 +49,10 @@
             "log": {
                 "level": "Warning\u0000"
             },
+            "message": "%OSDRIVE%\\USERS\\NICPE\\.VSCODE\\EXTENSIONS\\MS-VSCODE.POWERSHELL-2023.6.0\\MODULES\\PSSCRIPTANALYZER\\1.21.0\\PSSCRIPTANALYZER.PSM1 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.\u0000",
             "process": {
                 "pid": 25192
             },
-            "message": "%OSDRIVE%\\USERS\\NICPE\\.VSCODE\\EXTENSIONS\\MS-VSCODE.POWERSHELL-2023.6.0\\MODULES\\PSSCRIPTANALYZER\\1.21.0\\PSSCRIPTANALYZER.PSM1 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.\u0000",
             "user": {
                 "id": "S-1-5-21-2707992022-4034939591-3454028951-1001",
                 "name": "nicpe"

packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json

@@ -275,6 +275,98 @@
                 "version": 1
             }
         },
+        {
+            "@timestamp": "2023-06-01T05:27:01.247Z",
+            "event": {
+                "action": "Executing Pipeline",
+                "code": "4103",
+                "kind": "event",
+                "provider": "Microsoft-Windows-PowerShell"
+            },
+            "host": {
+                "name": "host.contoso.com"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n        Severity = Informational\n        Host Name = OpsMgr PowerShell Host\n        Host Version = 7.0.5000.0\n        Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n        Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n        Engine Version = 5.1.17763.3770\n        Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n        Pipeline ID = 2\n        Command Name = Get-ItemProperty\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 7213\n        User = CONTOSO\\SYSTEM\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n\n\nUser Data:",
+            "winlog": {
+                "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}",
+                "channel": "Microsoft-Windows-PowerShell/Operational",
+                "computer_name": "host.contoso.com",
+                "event_data": {
+                    "ContextInfo": "        Severity = Informational\n        Host Name = OpsMgr PowerShell Host\n        Host Version = 7.0.5000.0\n        Host ID = 1c251f62-545d-4d71-901e-b3445e459c2c\n        Host Application = C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\n\nhttps://aka.ms/vscode-powershell\nType 'help' to get help.\n\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()\n        Engine Version = 5.1.17763.3770\n        Runspace ID = 9f8ee3e6-561c-4875-a882-a352509348b8\n        Pipeline ID = 2\n        Command Name = Get-ItemProperty\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 7216833\n        User = CONTOSO\\SYSTEM\n        Connected User = \n        Shell ID = Microsoft.PowerShell",
+                    "Payload": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\""
+                },
+                "event_id": "4103",
+                "level": "information",
+                "opcode": "To be used when operation is just executing a method",
+                "process": {
+                    "pid": 2349,
+                    "thread": {
+                        "id": 32444
+                    }
+                },
+                "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}",
+                "provider_name": "Microsoft-Windows-PowerShell",
+                "record_id": 5663677,
+                "task": "Executing Pipeline",
+                "time_created": "2023-06-01T05:27:01.2479769Z",
+                "user": {
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
+                },
+                "version": 1
+            }
+        },
+        {
+            "@timestamp": "2023-06-01T05:27:01.247Z",
+            "event": {
+                "action": "Executing Pipeline",
+                "code": "4103",
+                "kind": "event",
+                "provider": "Microsoft-Windows-PowerShell"
+            },
+            "host": {
+                "name": "host.contoso.com"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\"\n\n\nContext:\n        Severity = Informational\n        Host Name = OpsMgr PowerShell Host\n        Host Version = 7.0.5000.0\n        Host ID = b0c2607f-a734-4f24-8f75-fb6e7b79d116\n        Host Application = C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding\n        Engine Version = 5.1.17763.3770\n        Runspace ID = 860aba3e-ecbc-48d8-beaa-b5c19b845dfb\n        Pipeline ID = 2\n        Command Name = Get-ItemProperty\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 7213\n        User = CONTOSO\\SYSTEM\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n\n\nUser Data:",
+            "winlog": {
+                "activity_id": "{a5ce6d2b-8964-4ec4-b0a3-1e749f8aa4ad}",
+                "channel": "Microsoft-Windows-PowerShell/Operational",
+                "computer_name": "host.contoso.com",
+                "event_data": {
+                    "ContextInfo": "        Severity = Informational\n        Host Name = OpsMgr PowerShell Host\n        Host Version = 7.0.5000.0\n        Host ID = 1c251f62-545d-4d71-901e-b3445e459c2c\n        Host Application = C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules\\PowerShellEditorServices\\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2025.4.0' -BundledModulesPath 'c:\\Users\\JohnDoe\\.vscode\\extensions\\ms-vscode.powershell-2025.4.0\\modules' -EnableConsoleRepl -StartupBanner \"PowerShell Extension v2025.4.0\nCopyright (c) Microsoft Corporation.\" -LogLevel 'Warning' -LogPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\logs\\20251029T133303\\window1\\exthost\\ms-vscode.powershell' -SessionDetailsPath 'c:\\Users\\JohnDoe\\AppData\\Roaming\\Code\\User\\globalStorage\\ms-vscode.powershell\\sessions\\PSES-VSCode-30052-837581.json' -FeatureFlags @()\n        Engine Version = 5.1.17763.3770\n        Runspace ID = 9f8ee3e6-561c-4875-a882-a352509348b8\n        Pipeline ID = 2\n        Command Name = Get-ItemProperty\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 7216833\n        User = CONTOSO\\SYSTEM\n        Connected User = \n        Shell ID = Microsoft.PowerShell",
+                    "Payload": "CommandInvocation(Get-ItemProperty): \"Get-ItemProperty\"\nParameterBinding(Get-ItemProperty): name=\"Path\"; value=\"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"\nParameterBinding(Get-ItemProperty): name=\"Name\"; value=\"Authentication Packages\"\nCommandInvocation(Select-Object): \"Select-Object\"\nParameterBinding(Select-Object): name=\"ExpandProperty\"; value=\"Authentication Packages\"\nParameterBinding(Select-Object): name=\"InputObject\"; value=\"@{Authentication Packages=System.String[]; PSPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa; PSParentPath=Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control; PSChildName=Lsa; PSDrive=HKLM; PSProvider=Microsoft.PowerShell.Core\\Registry}\""
+                },
+                "event_id": "4103",
+                "level": "information",
+                "opcode": "To be used when operation is just executing a method",
+                "process": {
+                    "pid": 2349,
+                    "thread": {
+                        "id": 32444
+                    }
+                },
+                "provider_guid": "{92a98569-96ac-46a7-af87-1eba79f456ee}",
+                "provider_name": "Microsoft-Windows-PowerShell",
+                "record_id": 5663677,
+                "task": "Executing Pipeline",
+                "time_created": "2023-06-01T05:27:01.2479769Z",
+                "user": {
+                    "identifier": "S-1-5-21-2882078887-1352635951-3305458046-1000",
+                    "domain": "DESKTOP-6RJHI71",
+                    "name": "JohnDoe",
+                    "type": "User"
+                },
+                "version": 1
+            }
+        },
         {
         "@timestamp": "2024-09-03T15:27:45.847Z",
         "event": {