Re-generate golden files

x-pack/winlogbeat/module/powershell/test/testdata/collection/400.evtx.golden.json

@@ -15,7 +15,6 @@
     },
     "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -27,7 +26,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1492,
       "task": "Engine Lifecycle"
@@ -49,7 +47,6 @@
     },
     "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -61,7 +58,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1511,
       "task": "Engine Lifecycle"
@@ -83,7 +79,6 @@
     },
     "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -95,7 +90,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1579,
       "task": "Engine Lifecycle"
@@ -117,7 +111,6 @@
     },
     "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -129,7 +122,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 18591,
       "task": "Engine Lifecycle"

x-pack/winlogbeat/module/powershell/test/testdata/collection/403.evtx.golden.json

@@ -15,7 +15,6 @@
     },
     "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -27,7 +26,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1687,
       "task": "Engine Lifecycle"
@@ -49,7 +47,6 @@
     },
     "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -61,7 +58,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1706,
       "task": "Engine Lifecycle"
@@ -83,7 +79,6 @@
     },
     "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -95,7 +90,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1766,
       "task": "Engine Lifecycle"
@@ -117,7 +111,6 @@
     },
     "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -129,7 +122,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 18592,
       "task": "Engine Lifecycle"

x-pack/winlogbeat/module/powershell/test/testdata/collection/4103.evtx.golden.json

@@ -15,8 +15,7 @@
     },
     "message": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"\n\n\nContext:\n        Severity = Informational\n        Host Name = ServerRemoteHost\n        Host Version = 1.0.0.0\n        Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n        Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n        Engine Version = 5.1.17763.1007\n        Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n        Pipeline ID = 1\n        Command Name = cmd.exe\n        Command Type = Application\n        Script Name = \n        Command Path = C:\\Windows\\system32\\cmd.exe\n        Sequence Number = 34\n        User = VAGRANT\\vagrant\n        Connected User = VAGRANT\\vagrant\n        Shell ID = Microsoft.PowerShell\n\n\nUser Data:",
     "winlog": {
-      "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}",
-      "api": "wineventlog",
+      "activity_id": "{1ACA0717-2ACB-0002-C208-CA1ACB2AD601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -31,7 +30,7 @@
           "id": 3616
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 3885,
       "task": "Executing Pipeline",
@@ -57,8 +56,7 @@
     },
     "message": "CommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\n\nContext:\n        Severity = Informational\n        Host Name = ConsoleHost\n        Host Version = 5.1.17763.1007\n        Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n        Engine Version = 5.1.17763.1007\n        Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n        Pipeline ID = 9\n        Command Name = Resolve-Path\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 22\n        User = VAGRANT\\vagrant\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n\n\nUser Data:",
     "winlog": {
-      "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}",
-      "api": "wineventlog",
+      "activity_id": "{1ACA0717-2ACB-0003-DB0B-CA1ACB2AD601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -73,7 +71,7 @@
           "id": 4160
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 3917,
       "task": "Executing Pipeline",

x-pack/winlogbeat/module/powershell/test/testdata/collection/4104.evtx.golden.json

@@ -15,8 +15,7 @@
     },
     "message": "Creating Scriptblock text (1 of 1):\n.\\patata.ps1\n\nScriptBlock ID: 50d2dbda-7361-4926-a94d-d9eadfdb43fa\nPath: ",
     "winlog": {
-      "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}",
-      "api": "wineventlog",
+      "activity_id": "{FB13C9DE-29F7-0001-18E0-13FBF729D601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -33,7 +32,7 @@
           "id": 4428
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 3580,
       "task": "Execute a Remote Command",
@@ -59,8 +58,7 @@
     },
     "message": "Creating Scriptblock text (1 of 1):\n\n\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\nPath: C:\\Users\\vagrant\\Desktop\\patata.ps1",
     "winlog": {
-      "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}",
-      "api": "wineventlog",
+      "activity_id": "{FB13C9DE-29F7-0000-79DB-13FBF729D601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -77,7 +75,7 @@
           "id": 4428
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 3582,
       "task": "Execute a Remote Command",

x-pack/winlogbeat/module/powershell/test/testdata/collection/4105.evtx.golden.json

@@ -15,8 +15,7 @@
     },
     "message": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623",
     "winlog": {
-      "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
-      "api": "wineventlog",
+      "activity_id": "{DD68516A-2930-0000-5962-68DD3029D601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -31,7 +30,7 @@
           "id": 1476
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 790,
       "task": "Starting Command",

x-pack/winlogbeat/module/powershell/test/testdata/collection/4106.evtx.golden.json

@@ -15,8 +15,7 @@
     },
     "message": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332",
     "winlog": {
-      "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}",
-      "api": "wineventlog",
+      "activity_id": "{E3200B8A-290E-0002-332A-20E30E29D601}",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
       "event_data": {
@@ -31,7 +30,7 @@
           "id": 5092
         }
       },
-      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+      "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
       "provider_name": "Microsoft-Windows-PowerShell",
       "record_id": 933,
       "task": "Stopping Command",

x-pack/winlogbeat/module/powershell/test/testdata/collection/600.evtx.golden.json

@@ -15,7 +15,6 @@
     },
     "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -27,7 +26,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1089,
       "task": "Provider Lifecycle"
@@ -49,7 +47,6 @@
     },
     "message": "Provider \"Registry\" is Started. \n\nDetails: \n\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -61,7 +58,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 1266,
       "task": "Provider Lifecycle"
@@ -83,7 +79,6 @@
     },
     "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
-      "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
       "event_data": {
@@ -95,7 +90,6 @@
       "keywords": [
         "Classic"
       ],
-      "opcode": "Info",
       "provider_name": "PowerShell",
       "record_id": 18640,
       "task": "Provider Lifecycle"