Skip to content

[BugFix] Remove script_block_signature - Performance Problems #15907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[BugFix] Remove script_block_signature - Performance Problems #15907

wants to merge 2 commits into from
+7 −44

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Nov 9, 2025

Proposed commit message

Remove the `script_block_signature` field to improve pipeline performance.

Summary

It seems that the gsub processor I added in #15834 to handle the way PowerShell scripts contain the signature is too expensive and it is causing performance problems.

As I mentioned in #15834, the field was not being populated in my cluster and detection rules telemetry, and will not be populated in most PowerShell scripts as it ends up being split in two different events, so I propose to remove it to solve the problem.

Another point is that most PowerShell scripts with signatures end up having them truncated, since PowerShell logs have size limits, the signature often gets split across two events (Example).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@w0rk3r w0rk3r requested a review from marc-gr November 9, 2025 21:20
@w0rk3r w0rk3r self-assigned this Nov 9, 2025
@w0rk3r w0rk3r added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Nov 9, 2025
@w0rk3r w0rk3r requested review from a team as code owners November 9, 2025 21:20
@elasticmachine
Copy link

elasticmachine commented Nov 9, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 9, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Nov 9, 2025

💚 Build Succeeded

History

cc @w0rk3r

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr Awaiting requested review from marc-gr

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

At least 1 approving review is required to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels

bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@w0rk3r @elasticmachine