Add lowercase normaliser to ECS fields which support security incident response process #2287
Labels
enhancement
New feature or request
Comments
|
Any update on this? Absolute minimum add it to host.name Users are constantly missing logs during investigations because of this..... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Here's an example of fields where we believe there is a strong use case to apply the lowercase normaliser.
host.name
host.domain
user.domain
user.name
related.user
related.hosts
url.registered_domain
dns.question.name
dns.question.registered_domain
email addresses
hashes like md5, sha1 and sha256 can be upper or lowercase
process.name
process.executable
threat.indicator.url.domain
url.domain
An example of why this is useful is our IT team pass usernames round in uppercase, whereas our security analyst team have to search logs in lowercase. Applying the lowercase normaliser will make these fields case insensitive. This reduces the chance of human error. These fields can be different cases in the log data. Applying the lowercase normaliser will improve usability.
Thanks
The text was updated successfully, but these errors were encountered: