elastic · w0rk3r · Jul 26, 2024 · Jul 18, 2024 · Jul 18, 2024 · Jul 18, 2024
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.60.0"
+  changes:
+    - description: Add caseless fields to process events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10533
 - version: "1.59.4"
   changes:
     - description: Mark system.diskio data stream as requires root

@@ -0,0 +1,18 @@
+- external: ecs
+  name: process.executable
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
+- external: ecs
+  name: process.name
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
@@ -515,6 +515,12 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | host.os.build | OS build information. | keyword |
 | host.os.codename | OS codename, if any. | keyword |
 | input.type | Type of Filebeat input. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.caseless | Multi-field of `process.executable`. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.caseless | Multi-field of `process.name`. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
 | winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
 | winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
 | winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |

@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "1.59.4"
+version: "1.60.0"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.47.0"
+  changes:
+    - description: Add caseless fields to process events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10533
 - version: "1.46.1"
   changes:
     - description: Convert error.code to string

@@ -148,6 +148,13 @@
   name: process.entity_id
 - external: ecs
   name: process.executable
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
 - external: ecs
   name: process.hash.md5
 - external: ecs
@@ -158,6 +165,13 @@
   name: process.hash.sha512
 - external: ecs
   name: process.name
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
 - external: ecs
   name: process.parent.args
 - external: ecs

@@ -138,6 +138,13 @@
   name: process.entity_id
 - external: ecs
   name: process.executable
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
 - external: ecs
   name: process.hash.md5
 - external: ecs
@@ -148,6 +155,13 @@
   name: process.hash.sha512
 - external: ecs
   name: process.name
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
 - external: ecs
   name: process.parent.args
 - external: ecs

@@ -2530,12 +2530,14 @@ An example event for `sysmon_operational` looks as following:
 | process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
 | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
 | process.executable | Absolute path to the process executable. | keyword |
+| process.executable.caseless | Multi-field of `process.executable`. | keyword |
 | process.executable.text | Multi-field of `process.executable`. | match_only_text |
 | process.hash.md5 | MD5 hash. | keyword |
 | process.hash.sha1 | SHA1 hash. | keyword |
 | process.hash.sha256 | SHA256 hash. | keyword |
 | process.hash.sha512 | SHA512 hash. | keyword |
 | process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.caseless | Multi-field of `process.name`. | keyword |
 | process.name.text | Multi-field of `process.name`. | match_only_text |
 | process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
 | process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |

@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.46.1
+version: 1.47.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: