From 9e029b1adf101cd98b32a09e79e433aff5c5f379 Mon Sep 17 00:00:00 2001
From: Kyle Pearson <kyle.pearson@elastic.co>
Date: Fri, 4 Dec 2020 18:36:57 +0000
Subject: [PATCH 1/2] Adding protection for undefined variable in copy target
 user

---
 CHANGELOG.next.asciidoc                                |  1 +
 .../module/security/config/winlogbeat-security.js      | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 260f3114637..f86195ed56f 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -460,6 +460,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983]
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
+- Protect against accessing an undefined variable in Security module.
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 5a8e91b677b..942eecf52e5 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1519,11 +1519,13 @@ var security = (function () {
         })
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.TargetUserName");
-            if (/.@*/.test(user)) {
-                user = user.split('@')[0];
-                evt.Put('user.name', user);
+            if (user) {
+                if (/.@*/.test(user)) {
+                    user = user.split('@')[0];
+                    evt.Put('user.name', user);
+                }
+                evt.AppendTo('related.user', user);
             }
-            evt.AppendTo('related.user', user);
         })
         .Build();
 

From da48d857284a524334aa724ea898c53f869aa1a0 Mon Sep 17 00:00:00 2001
From: Kyle Pearson <kyle.pearson@elastic.co>
Date: Fri, 4 Dec 2020 18:42:08 +0000
Subject: [PATCH 2/2] Update CHANGELOG.next.asciidoc

---
 CHANGELOG.next.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index f86195ed56f..8835d6bd8d9 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -460,7 +460,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983]
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
-- Protect against accessing an undefined variable in Security module.
+- Protect against accessing an undefined variable in Security module. {pull}22937[22937]
 
 *Functionbeat*