-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] Add ".caseless" fields to process events #9850
base: main
Are you sure you want to change the base?
Conversation
🚀 Benchmarks reportTo see the full report comment with |
@w0rk3r : Can we please get the CI green here ? |
💚 Build Succeeded
History
cc @w0rk3r |
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This introduces a new field into an ECS controlled namespace that is not defined in ECS. We need to commit this to the schema first so that it becomes standardized. This will allow us to use a uniform definition everywhere and it's easily importable.
# fields.yml
- name: process.executable
external: ecs
This additional multi-field will end up in the Elasticsearch ecs@mappings template meaning that all users of data streams can have a consistent mapping for these fields (even if they aren't using an integration).
Probably one reason that we have incompatibility with detection rules (#9234) is that the rule(s) are using fields which have not been defined in ECS. So if we can align ECS then any future integrations will just work.
I also think we should debate alternative naming. My initial reaction was that calling this "lowercase" would be more clear because it conveys the fact that the value is being converted to lowercase.
Proposed commit message
This PR adds
.caseless
fields for the process name and executable to improve compatibility with our Elastic Defend integration. This enables us to handle language limitations in KQL more effectively.I'm also specifying the
.text
field as it was being removed from the markdown file otherwise.Elastic Defend Mapping:
Checklist
changelog.yml
file.How to test this PR locally
Build the integration, ingest sysmon or windows security logs.
Related issues
Screenshots