Bugfix: Safely Handle Malformed UAC events

[brian-mckinney]

Proposed commit message

https://github.com/elastic/sdh-beats/issues/6727

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @brian-mckinney? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a893a813-b613-441d-9f3b-ccf6b42c90c5

📥 Commits

Reviewing files that changed from the base of the PR and between a85f85e and b228ebf.

📒 Files selected for processing (1)

• x-pack/winlogbeat/module/security/ingest/security_standard.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• x-pack/winlogbeat/module/security/ingest/security_standard.yml

---

📝 Walkthrough

Walkthrough

The pull request adds defensive error handling to a Windows security ingest pipeline. A changelog fragment documents a bug fix for "Long decoding error" in a Painless script for winlogbeat. The ingest pipeline script is updated with try/catch blocks around Long.decode() calls for both NewUacValue parsing and parameter iteration, allowing the script to continue or return early on decode failures rather than aborting.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andrewkroh]

The pipeline change looks fine.

Note that there is no testing of the pipeline as explained in #49947.

[github-actions]

@Mergifyio backport 9.3 9.4

[mergify]

backport 9.3 9.4

✅ Backports have been created

Details

• #50550 [9.3](backport #49869) Bugfix: Safely Handle Malformed UAC events has been created for branch 9.3
• #50551 [9.4](backport #49869) Bugfix: Safely Handle Malformed UAC events has been created for branch 9.4