diff --git a/Makefile b/Makefile index bbc386280..22096a0b9 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,7 @@ $(ROOT_DIR)/out: build-package: $(ROOT_DIR)/out rm -rf $(PACKAGES_DIR) mkdir -p $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION) - cp -r $(ROOT_DIR)/package/endpoint/ $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION) + cp -r $(ROOT_DIR)/package/endpoint/* $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION) # Use this target to run the package registry with your modifications to the endpoint package .PHONY: run-registry diff --git a/custom_schemas/custom_file.yml b/custom_schemas/custom_file.yml index 40b351e8e..a96c90754 100644 --- a/custom_schemas/custom_file.yml +++ b/custom_schemas/custom_file.yml @@ -11,6 +11,22 @@ File fields provide details about the affected file associated with the event or metric. type: group fields: + - name: path + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + + - name: target_path + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + - name: Ext level: custom type: object diff --git a/custom_schemas/custom_os.yml b/custom_schemas/custom_os.yml index 1e7f6df0e..9708b238f 100644 --- a/custom_schemas/custom_os.yml +++ b/custom_schemas/custom_os.yml @@ -11,6 +11,22 @@ expected: - host fields: + - name: full + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + + - name: name + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + - name: Ext level: custom type: object diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml index ff390b0c2..9dda54087 100644 --- a/custom_schemas/custom_process.yml +++ b/custom_schemas/custom_process.yml @@ -16,6 +16,38 @@ - { at: Target.process, as: parent } type: group fields: + - name: command_line + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + + - name: executable + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + + - name: name + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + + - name: working_directory + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + - name: text + type: text + - name: Ext level: custom type: object diff --git a/generated/alerts/ecs/ecs_flat.yml b/generated/alerts/ecs/ecs_flat.yml index defb7a80e..eeb74329f 100644 --- a/generated/alerts/ecs/ecs_flat.yml +++ b/generated/alerts/ecs/ecs_flat.yml @@ -968,6 +968,11 @@ Target.process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.command_line.text name: text norms: false @@ -1005,6 +1010,11 @@ Target.process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.executable.text name: text norms: false @@ -1082,6 +1092,11 @@ Target.process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.name.text name: text norms: false @@ -1248,6 +1263,11 @@ Target.process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.command_line.text name: text norms: false @@ -1285,6 +1305,11 @@ Target.process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.executable.text name: text norms: false @@ -1362,6 +1387,11 @@ Target.process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.name.text name: text norms: false @@ -1479,6 +1509,11 @@ Target.process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.working_directory.text name: text norms: false @@ -1967,6 +2002,11 @@ Target.process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.working_directory.text name: text norms: false @@ -3835,6 +3875,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -3922,6 +3967,11 @@ file.target_path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.target_path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.target_path.text name: text norms: false @@ -4253,6 +4303,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -4282,6 +4337,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -4983,6 +5043,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -5018,6 +5083,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -5093,6 +5163,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -5258,6 +5333,11 @@ process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.command_line.text name: text norms: false @@ -5295,6 +5375,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -5372,6 +5457,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false @@ -5489,6 +5579,11 @@ process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.working_directory.text name: text norms: false @@ -5963,6 +6058,11 @@ process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.working_directory.text name: text norms: false diff --git a/generated/alerts/ecs/subset/malware_event/ecs_flat.yml b/generated/alerts/ecs/subset/malware_event/ecs_flat.yml index 847f9e04d..0f9f6c972 100644 --- a/generated/alerts/ecs/subset/malware_event/ecs_flat.yml +++ b/generated/alerts/ecs/subset/malware_event/ecs_flat.yml @@ -976,6 +976,11 @@ Target.process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.command_line.text name: text norms: false @@ -1014,6 +1019,11 @@ Target.process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.executable.text name: text norms: false @@ -1096,6 +1106,11 @@ Target.process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.name.text name: text norms: false @@ -1267,6 +1282,11 @@ Target.process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.command_line.text name: text norms: false @@ -1305,6 +1325,11 @@ Target.process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.executable.text name: text norms: false @@ -1387,6 +1412,11 @@ Target.process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.name.text name: text norms: false @@ -1506,6 +1536,11 @@ Target.process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.working_directory.text name: text norms: false @@ -2001,6 +2036,11 @@ Target.process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.working_directory.text name: text norms: false @@ -3903,6 +3943,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -3997,6 +4042,11 @@ file.target_path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.target_path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.target_path.text name: text norms: false @@ -4339,6 +4389,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -4370,6 +4425,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -5081,6 +5141,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -5117,6 +5182,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -5197,6 +5267,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -5367,6 +5442,11 @@ process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.command_line.text name: text norms: false @@ -5405,6 +5485,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -5487,6 +5572,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false @@ -5606,6 +5696,11 @@ process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.working_directory.text name: text norms: false @@ -6087,6 +6182,11 @@ process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.working_directory.text name: text norms: false diff --git a/generated/alerts/ecs/subset/malware_event/exceptionable.json b/generated/alerts/ecs/subset/malware_event/exceptionable.json index fdf0ea60e..d28ae3208 100644 --- a/generated/alerts/ecs/subset/malware_event/exceptionable.json +++ b/generated/alerts/ecs/subset/malware_event/exceptionable.json @@ -7,31 +7,38 @@ "Target.process.Ext.services", "Target.process.Ext.user", "Target.process.command_line", + "Target.process.command_line.caseless", "Target.process.command_line.text", "Target.process.executable", + "Target.process.executable.caseless", "Target.process.executable.text", "Target.process.hash.md5", "Target.process.hash.sha1", "Target.process.hash.sha256", "Target.process.hash.sha512", "Target.process.name", + "Target.process.name.caseless", "Target.process.name.text", "Target.process.parent.Ext.code_signature.status", "Target.process.parent.Ext.code_signature.subject_name", "Target.process.parent.Ext.code_signature.trusted", "Target.process.parent.Ext.code_signature.valid", "Target.process.parent.command_line", + "Target.process.parent.command_line.caseless", "Target.process.parent.command_line.text", "Target.process.parent.executable", + "Target.process.parent.executable.caseless", "Target.process.parent.executable.text", "Target.process.parent.hash.md5", "Target.process.parent.hash.sha1", "Target.process.parent.hash.sha256", "Target.process.parent.hash.sha512", "Target.process.parent.name", + "Target.process.parent.name.caseless", "Target.process.parent.name.text", "Target.process.parent.pgid", "Target.process.parent.working_directory", + "Target.process.parent.working_directory.caseless", "Target.process.parent.working_directory.text", "Target.process.pe.company", "Target.process.pe.description", @@ -40,6 +47,7 @@ "Target.process.pe.product", "Target.process.pgid", "Target.process.working_directory", + "Target.process.working_directory.caseless", "Target.process.working_directory.text", "agent.id", "agent.type", @@ -75,6 +83,7 @@ "file.name", "file.owner", "file.path", + "file.path.caseless", "file.path.text", "file.pe.company", "file.pe.description", @@ -83,6 +92,7 @@ "file.pe.product", "file.size", "file.target_path", + "file.target_path.caseless", "file.target_path.text", "file.type", "file.uid", @@ -95,9 +105,11 @@ "host.os.Ext.variant", "host.os.family", "host.os.full", + "host.os.full.caseless", "host.os.full.text", "host.os.kernel", "host.os.name", + "host.os.name.caseless", "host.os.name.text", "host.os.platform", "host.os.version", @@ -109,31 +121,38 @@ "process.Ext.services", "process.Ext.user", "process.command_line", + "process.command_line.caseless", "process.command_line.text", "process.executable", + "process.executable.caseless", "process.executable.text", "process.hash.md5", "process.hash.sha1", "process.hash.sha256", "process.hash.sha512", "process.name", + "process.name.caseless", "process.name.text", "process.parent.Ext.code_signature.status", "process.parent.Ext.code_signature.subject_name", "process.parent.Ext.code_signature.trusted", "process.parent.Ext.code_signature.valid", "process.parent.command_line", + "process.parent.command_line.caseless", "process.parent.command_line.text", "process.parent.executable", + "process.parent.executable.caseless", "process.parent.executable.text", "process.parent.hash.md5", "process.parent.hash.sha1", "process.parent.hash.sha256", "process.parent.hash.sha512", "process.parent.name", + "process.parent.name.caseless", "process.parent.name.text", "process.parent.pgid", "process.parent.working_directory", + "process.parent.working_directory.caseless", "process.parent.working_directory.text", "process.pe.company", "process.pe.description", @@ -142,6 +161,7 @@ "process.pe.product", "process.pgid", "process.working_directory", + "process.working_directory.caseless", "process.working_directory.text", "rule.uuid" ] \ No newline at end of file diff --git a/generated/alerts/elasticsearch/7/template.json b/generated/alerts/elasticsearch/7/template.json index f5f14923f..8c5df2723 100644 --- a/generated/alerts/elasticsearch/7/template.json +++ b/generated/alerts/elasticsearch/7/template.json @@ -396,6 +396,11 @@ }, "command_line": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -410,6 +415,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -443,6 +453,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -497,6 +512,11 @@ }, "command_line": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -511,6 +531,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -544,6 +569,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -590,6 +620,11 @@ }, "working_directory": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -779,6 +814,11 @@ }, "working_directory": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1363,6 +1403,11 @@ }, "path": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1400,6 +1445,11 @@ }, "target_path": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1533,6 +1583,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1547,6 +1602,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1827,6 +1887,11 @@ }, "command_line": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1841,6 +1906,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1874,6 +1944,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1928,6 +2003,11 @@ }, "command_line": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1942,6 +2022,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -1975,6 +2060,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -2021,6 +2111,11 @@ }, "working_directory": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -2210,6 +2305,11 @@ }, "working_directory": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/file/ecs/ecs_flat.yml b/generated/file/ecs/ecs_flat.yml index 62284655a..31a84a81c 100644 --- a/generated/file/ecs/ecs_flat.yml +++ b/generated/file/ecs/ecs_flat.yml @@ -865,6 +865,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -1058,6 +1063,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1087,6 +1097,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1183,6 +1198,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1201,6 +1221,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/file/ecs/subset/file/ecs_flat.yml b/generated/file/ecs/subset/file/ecs_flat.yml index 6f8ec504f..c03ca5364 100644 --- a/generated/file/ecs/subset/file/ecs_flat.yml +++ b/generated/file/ecs/subset/file/ecs_flat.yml @@ -835,6 +835,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -1028,6 +1033,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1057,6 +1067,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1153,6 +1168,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1171,6 +1191,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/file/ecs/subset/unquarantine/ecs_flat.yml b/generated/file/ecs/subset/unquarantine/ecs_flat.yml index 7d5377fd0..0f7f2771d 100644 --- a/generated/file/ecs/subset/unquarantine/ecs_flat.yml +++ b/generated/file/ecs/subset/unquarantine/ecs_flat.yml @@ -727,6 +727,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -851,6 +856,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -880,6 +890,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/file/elasticsearch/7/template.json b/generated/file/elasticsearch/7/template.json index 2b53f0390..04e90d680 100644 --- a/generated/file/elasticsearch/7/template.json +++ b/generated/file/elasticsearch/7/template.json @@ -209,6 +209,11 @@ }, "path": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -295,6 +300,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -309,6 +319,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -350,6 +365,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -360,6 +380,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/library/ecs/ecs_flat.yml b/generated/library/ecs/ecs_flat.yml index 52c63fd63..8e6a6885b 100644 --- a/generated/library/ecs/ecs_flat.yml +++ b/generated/library/ecs/ecs_flat.yml @@ -750,6 +750,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -968,6 +973,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -997,6 +1007,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1093,6 +1108,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1111,6 +1131,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/library/ecs/subset/library/ecs_flat.yml b/generated/library/ecs/subset/library/ecs_flat.yml index 52c63fd63..8e6a6885b 100644 --- a/generated/library/ecs/subset/library/ecs_flat.yml +++ b/generated/library/ecs/subset/library/ecs_flat.yml @@ -750,6 +750,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -968,6 +973,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -997,6 +1007,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1093,6 +1108,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1111,6 +1131,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/library/elasticsearch/7/template.json b/generated/library/elasticsearch/7/template.json index e9e459c05..a694dba4e 100644 --- a/generated/library/elasticsearch/7/template.json +++ b/generated/library/elasticsearch/7/template.json @@ -180,6 +180,11 @@ }, "path": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -278,6 +283,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -292,6 +302,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -333,6 +348,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -343,6 +363,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/metadata/ecs/ecs_flat.yml b/generated/metadata/ecs/ecs_flat.yml index 5488bceb2..468a63531 100644 --- a/generated/metadata/ecs/ecs_flat.yml +++ b/generated/metadata/ecs/ecs_flat.yml @@ -785,6 +785,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -814,6 +819,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/metadata/ecs/subset/metadata/ecs_flat.yml b/generated/metadata/ecs/subset/metadata/ecs_flat.yml index 5488bceb2..468a63531 100644 --- a/generated/metadata/ecs/subset/metadata/ecs_flat.yml +++ b/generated/metadata/ecs/subset/metadata/ecs_flat.yml @@ -785,6 +785,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -814,6 +819,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/metadata/elasticsearch/7/template.json b/generated/metadata/elasticsearch/7/template.json index 841c32339..5a8e4dd83 100644 --- a/generated/metadata/elasticsearch/7/template.json +++ b/generated/metadata/elasticsearch/7/template.json @@ -189,6 +189,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -203,6 +208,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/metrics/ecs/ecs_flat.yml b/generated/metrics/ecs/ecs_flat.yml index c8e4d3151..0b4888521 100644 --- a/generated/metrics/ecs/ecs_flat.yml +++ b/generated/metrics/ecs/ecs_flat.yml @@ -919,6 +919,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -948,6 +953,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/metrics/ecs/subset/metrics/ecs_flat.yml b/generated/metrics/ecs/subset/metrics/ecs_flat.yml index c8e4d3151..0b4888521 100644 --- a/generated/metrics/ecs/subset/metrics/ecs_flat.yml +++ b/generated/metrics/ecs/subset/metrics/ecs_flat.yml @@ -919,6 +919,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -948,6 +953,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/metrics/elasticsearch/7/template.json b/generated/metrics/elasticsearch/7/template.json index 3679cdf4b..4ec97297b 100644 --- a/generated/metrics/elasticsearch/7/template.json +++ b/generated/metrics/elasticsearch/7/template.json @@ -239,6 +239,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -253,6 +258,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/network/ecs/ecs_flat.yml b/generated/network/ecs/ecs_flat.yml index ea49fd54d..f5d3b3232 100644 --- a/generated/network/ecs/ecs_flat.yml +++ b/generated/network/ecs/ecs_flat.yml @@ -1070,6 +1070,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1099,6 +1104,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1415,6 +1425,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1433,6 +1448,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/network/ecs/subset/network/ecs_flat.yml b/generated/network/ecs/subset/network/ecs_flat.yml index ea49fd54d..f5d3b3232 100644 --- a/generated/network/ecs/subset/network/ecs_flat.yml +++ b/generated/network/ecs/subset/network/ecs_flat.yml @@ -1070,6 +1070,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1099,6 +1104,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1415,6 +1425,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1433,6 +1448,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/network/elasticsearch/7/template.json b/generated/network/elasticsearch/7/template.json index 685774292..70cf4ea8c 100644 --- a/generated/network/elasticsearch/7/template.json +++ b/generated/network/elasticsearch/7/template.json @@ -282,6 +282,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -296,6 +301,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -435,6 +445,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -445,6 +460,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/policy/ecs/ecs_flat.yml b/generated/policy/ecs/ecs_flat.yml index 185912ff1..338f8bea5 100644 --- a/generated/policy/ecs/ecs_flat.yml +++ b/generated/policy/ecs/ecs_flat.yml @@ -1035,6 +1035,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1064,6 +1069,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/policy/ecs/subset/policy/ecs_flat.yml b/generated/policy/ecs/subset/policy/ecs_flat.yml index 185912ff1..338f8bea5 100644 --- a/generated/policy/ecs/subset/policy/ecs_flat.yml +++ b/generated/policy/ecs/subset/policy/ecs_flat.yml @@ -1035,6 +1035,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1064,6 +1069,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/generated/policy/elasticsearch/7/template.json b/generated/policy/elasticsearch/7/template.json index 2307db94a..27701b0df 100644 --- a/generated/policy/elasticsearch/7/template.json +++ b/generated/policy/elasticsearch/7/template.json @@ -302,6 +302,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -316,6 +321,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/process/ecs/ecs_flat.yml b/generated/process/ecs/ecs_flat.yml index 810102b15..4dbf7c8d7 100644 --- a/generated/process/ecs/ecs_flat.yml +++ b/generated/process/ecs/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -975,6 +985,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -1010,6 +1025,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1074,6 +1094,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -1143,6 +1168,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -1162,6 +1192,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false diff --git a/generated/process/ecs/subset/process/ecs_flat.yml b/generated/process/ecs/subset/process/ecs_flat.yml index 810102b15..4dbf7c8d7 100644 --- a/generated/process/ecs/subset/process/ecs_flat.yml +++ b/generated/process/ecs/subset/process/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -975,6 +985,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -1010,6 +1025,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1074,6 +1094,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -1143,6 +1168,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -1162,6 +1192,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false diff --git a/generated/process/elasticsearch/7/template.json b/generated/process/elasticsearch/7/template.json index fcbb47554..fcf9acca2 100644 --- a/generated/process/elasticsearch/7/template.json +++ b/generated/process/elasticsearch/7/template.json @@ -172,6 +172,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -186,6 +191,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -271,6 +281,11 @@ }, "command_line": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -285,6 +300,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -314,6 +334,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -343,6 +368,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -353,6 +383,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/registry/ecs/ecs_flat.yml b/generated/registry/ecs/ecs_flat.yml index d1678d38c..1103e33ea 100644 --- a/generated/registry/ecs/ecs_flat.yml +++ b/generated/registry/ecs/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/registry/ecs/subset/registry/ecs_flat.yml b/generated/registry/ecs/subset/registry/ecs_flat.yml index d1678d38c..1103e33ea 100644 --- a/generated/registry/ecs/subset/registry/ecs_flat.yml +++ b/generated/registry/ecs/subset/registry/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/registry/elasticsearch/7/template.json b/generated/registry/elasticsearch/7/template.json index 4f5ba39fd..035dbe5c4 100644 --- a/generated/registry/elasticsearch/7/template.json +++ b/generated/registry/elasticsearch/7/template.json @@ -172,6 +172,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -186,6 +191,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -227,6 +237,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -237,6 +252,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/generated/security/ecs/ecs_flat.yml b/generated/security/ecs/ecs_flat.yml index 7c12f8219..5e65c6a23 100644 --- a/generated/security/ecs/ecs_flat.yml +++ b/generated/security/ecs/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/security/ecs/subset/security/ecs_flat.yml b/generated/security/ecs/subset/security/ecs_flat.yml index 7c12f8219..5e65c6a23 100644 --- a/generated/security/ecs/subset/security/ecs_flat.yml +++ b/generated/security/ecs/subset/security/ecs_flat.yml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/generated/security/elasticsearch/7/template.json b/generated/security/elasticsearch/7/template.json index 2f9c1ee9c..a8c2542e8 100644 --- a/generated/security/elasticsearch/7/template.json +++ b/generated/security/elasticsearch/7/template.json @@ -172,6 +172,11 @@ }, "full": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -186,6 +191,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -227,6 +237,11 @@ }, "executable": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" @@ -237,6 +252,11 @@ }, "name": { "fields": { + "caseless": { + "ignore_above": 1024, + "normalizer": "lowercase", + "type": "keyword" + }, "text": { "norms": false, "type": "text" diff --git a/package/endpoint/dataset/alerts/fields/fields.yml b/package/endpoint/dataset/alerts/fields/fields.yml index 08ad98cdc..02d25aceb 100644 --- a/package/endpoint/dataset/alerts/fields/fields.yml +++ b/package/endpoint/dataset/alerts/fields/fields.yml @@ -574,6 +574,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -603,6 +607,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -647,6 +655,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -748,6 +760,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -777,6 +793,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -821,6 +841,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -893,6 +917,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -1168,6 +1196,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2173,6 +2205,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2227,6 +2264,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2429,6 +2471,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2446,6 +2493,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2840,6 +2892,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2869,6 +2925,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -2909,6 +2970,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -3010,6 +3076,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -3039,6 +3109,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -3083,6 +3157,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -3155,6 +3233,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -3423,6 +3505,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/file/fields/fields.yml b/package/endpoint/dataset/file/fields/fields.yml index ceed77df6..59dcf2479 100644 --- a/package/endpoint/dataset/file/fields/fields.yml +++ b/package/endpoint/dataset/file/fields/fields.yml @@ -412,6 +412,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -539,6 +544,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -556,6 +566,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -615,6 +630,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -626,6 +646,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/library/fields/fields.yml b/package/endpoint/dataset/library/fields/fields.yml index b4bbb8500..6bfe39e6b 100644 --- a/package/endpoint/dataset/library/fields/fields.yml +++ b/package/endpoint/dataset/library/fields/fields.yml @@ -370,6 +370,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -512,6 +517,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -529,6 +539,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -588,6 +603,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -599,6 +619,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/metadata/fields/fields.yml b/package/endpoint/dataset/metadata/fields/fields.yml index 3f234a29e..450db6ae0 100644 --- a/package/endpoint/dataset/metadata/fields/fields.yml +++ b/package/endpoint/dataset/metadata/fields/fields.yml @@ -374,6 +374,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -391,6 +396,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/metrics/fields/fields.yml b/package/endpoint/dataset/metrics/fields/fields.yml index 239803170..09b0ebc5f 100644 --- a/package/endpoint/dataset/metrics/fields/fields.yml +++ b/package/endpoint/dataset/metrics/fields/fields.yml @@ -448,6 +448,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -465,6 +470,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/network/fields/fields.yml b/package/endpoint/dataset/network/fields/fields.yml index e45bcb1b9..88615ad99 100644 --- a/package/endpoint/dataset/network/fields/fields.yml +++ b/package/endpoint/dataset/network/fields/fields.yml @@ -561,6 +561,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -578,6 +583,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -790,6 +800,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -801,6 +816,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/policy/fields/fields.yml b/package/endpoint/dataset/policy/fields/fields.yml index 27cec23ce..fea304c07 100644 --- a/package/endpoint/dataset/policy/fields/fields.yml +++ b/package/endpoint/dataset/policy/fields/fields.yml @@ -525,6 +525,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -542,6 +547,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/process/fields/fields.yml b/package/endpoint/dataset/process/fields/fields.yml index dfd9a9612..73addb780 100644 --- a/package/endpoint/dataset/process/fields/fields.yml +++ b/package/endpoint/dataset/process/fields/fields.yml @@ -352,6 +352,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -369,6 +374,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -494,6 +504,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -523,6 +537,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -558,6 +577,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -603,6 +627,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -614,6 +642,10 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/registry/fields/fields.yml b/package/endpoint/dataset/registry/fields/fields.yml index 6f16b0d93..693b41304 100644 --- a/package/endpoint/dataset/registry/fields/fields.yml +++ b/package/endpoint/dataset/registry/fields/fields.yml @@ -352,6 +352,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -369,6 +374,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -428,6 +438,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -439,6 +454,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/package/endpoint/dataset/security/fields/fields.yml b/package/endpoint/dataset/security/fields/fields.yml index 10e60ea36..6cf369a55 100644 --- a/package/endpoint/dataset/security/fields/fields.yml +++ b/package/endpoint/dataset/security/fields/fields.yml @@ -352,6 +352,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -369,6 +374,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -428,6 +438,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false @@ -439,6 +454,11 @@ type: keyword ignore_above: 1024 multi_fields: + - name: caseless + type: keyword + default_field: false + normalizer: lowercase + ignore_above: 1024 - name: text type: text norms: false diff --git a/schemas/v1/alerts/malware_event.yaml b/schemas/v1/alerts/malware_event.yaml index defb7a80e..eeb74329f 100644 --- a/schemas/v1/alerts/malware_event.yaml +++ b/schemas/v1/alerts/malware_event.yaml @@ -968,6 +968,11 @@ Target.process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.command_line.text name: text norms: false @@ -1005,6 +1010,11 @@ Target.process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.executable.text name: text norms: false @@ -1082,6 +1092,11 @@ Target.process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.name.text name: text norms: false @@ -1248,6 +1263,11 @@ Target.process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.command_line.text name: text norms: false @@ -1285,6 +1305,11 @@ Target.process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.executable.text name: text norms: false @@ -1362,6 +1387,11 @@ Target.process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.name.text name: text norms: false @@ -1479,6 +1509,11 @@ Target.process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.parent.working_directory.text name: text norms: false @@ -1967,6 +2002,11 @@ Target.process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: Target.process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: Target.process.working_directory.text name: text norms: false @@ -3835,6 +3875,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -3922,6 +3967,11 @@ file.target_path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.target_path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.target_path.text name: text norms: false @@ -4253,6 +4303,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -4282,6 +4337,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -4983,6 +5043,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -5018,6 +5083,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -5093,6 +5163,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -5258,6 +5333,11 @@ process.parent.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.command_line.text name: text norms: false @@ -5295,6 +5375,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -5372,6 +5457,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false @@ -5489,6 +5579,11 @@ process.parent.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.working_directory.text name: text norms: false @@ -5963,6 +6058,11 @@ process.working_directory: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.working_directory.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.working_directory.text name: text norms: false diff --git a/schemas/v1/file/file.yaml b/schemas/v1/file/file.yaml index 6f8ec504f..c03ca5364 100644 --- a/schemas/v1/file/file.yaml +++ b/schemas/v1/file/file.yaml @@ -835,6 +835,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -1028,6 +1033,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1057,6 +1067,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1153,6 +1168,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1171,6 +1191,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/schemas/v1/file/unquarantine.yaml b/schemas/v1/file/unquarantine.yaml index 7d5377fd0..0f7f2771d 100644 --- a/schemas/v1/file/unquarantine.yaml +++ b/schemas/v1/file/unquarantine.yaml @@ -727,6 +727,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -851,6 +856,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -880,6 +890,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/schemas/v1/library/library.yaml b/schemas/v1/library/library.yaml index 52c63fd63..8e6a6885b 100644 --- a/schemas/v1/library/library.yaml +++ b/schemas/v1/library/library.yaml @@ -750,6 +750,11 @@ file.path: ignore_above: 1024 level: extended multi_fields: + - flat_name: file.path.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: file.path.text name: text norms: false @@ -968,6 +973,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -997,6 +1007,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1093,6 +1108,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1111,6 +1131,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/schemas/v1/metadata/metadata.yaml b/schemas/v1/metadata/metadata.yaml index 5488bceb2..468a63531 100644 --- a/schemas/v1/metadata/metadata.yaml +++ b/schemas/v1/metadata/metadata.yaml @@ -785,6 +785,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -814,6 +819,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/schemas/v1/metrics/metrics.yaml b/schemas/v1/metrics/metrics.yaml index c8e4d3151..0b4888521 100644 --- a/schemas/v1/metrics/metrics.yaml +++ b/schemas/v1/metrics/metrics.yaml @@ -919,6 +919,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -948,6 +953,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/schemas/v1/network/network.yaml b/schemas/v1/network/network.yaml index ea49fd54d..f5d3b3232 100644 --- a/schemas/v1/network/network.yaml +++ b/schemas/v1/network/network.yaml @@ -1070,6 +1070,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1099,6 +1104,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -1415,6 +1425,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1433,6 +1448,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index 185912ff1..338f8bea5 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -1035,6 +1035,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -1064,6 +1069,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml index 810102b15..4dbf7c8d7 100644 --- a/schemas/v1/process/process.yaml +++ b/schemas/v1/process/process.yaml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -975,6 +985,11 @@ process.command_line: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.command_line.text name: text norms: false @@ -1010,6 +1025,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -1074,6 +1094,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false @@ -1143,6 +1168,11 @@ process.parent.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.executable.text name: text norms: false @@ -1162,6 +1192,11 @@ process.parent.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.parent.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.parent.name.text name: text norms: false diff --git a/schemas/v1/registry/registry.yaml b/schemas/v1/registry/registry.yaml index d1678d38c..1103e33ea 100644 --- a/schemas/v1/registry/registry.yaml +++ b/schemas/v1/registry/registry.yaml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false diff --git a/schemas/v1/security/security.yaml b/schemas/v1/security/security.yaml index 7c12f8219..5e65c6a23 100644 --- a/schemas/v1/security/security.yaml +++ b/schemas/v1/security/security.yaml @@ -747,6 +747,11 @@ host.os.full: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.full.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.full.text name: text norms: false @@ -776,6 +781,11 @@ host.os.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: host.os.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: host.os.name.text name: text norms: false @@ -872,6 +882,11 @@ process.executable: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.executable.text name: text norms: false @@ -890,6 +905,11 @@ process.name: ignore_above: 1024 level: extended multi_fields: + - flat_name: process.name.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword - flat_name: process.name.text name: text norms: false