-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] Add ".caseless" fields to process events #10533
Conversation
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
@w0rk3r this PR is now in conflict |
Quality Gate passedIssues Measures |
💚 Build Succeeded
History
cc @w0rk3r |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@w0rk3r We are now good to go, thanks |
Package system - 1.60.0 containing this change is available at https://epr.elastic.co/search?package=system |
Package windows - 1.47.0 containing this change is available at https://epr.elastic.co/search?package=windows |
[Enhancement] Add ".caseless" fields to process events
Summary
Clean version of #9850, reopening this as the discussion in ECS suggests this may be the best way to proceed.
Proposed commit message
This PR adds
.caseless
fields for the process name and executable to improve compatibility with our Elastic Defend integration. This enables us to handle language limitations in KQL more effectively.I'm also specifying the
.text
field as it was being removed from the markdown file otherwise.Elastic Defend Mapping:
Checklist
changelog.yml
file.How to test this PR locally
Build the integration, ingest sysmon or windows security logs.
Related issues
Screenshots