Skip to content

Commit 7815b3f

Browse files
w0rk3rw0rk3r
authored
Add .caseless subfield to process.name & process.executable (#2341)
Adds a subfield to the process.name and process.executable fields to improve the compatibility of data sources like System, Sysmon, etc., with our Elastic Defend data, which enables us to handle language limitations in KQL more effectively.
1 parent 4b2c7c6 commit 7815b3f

File tree

15 files changed

+570
-0
lines changed

15 files changed

+570
-0
lines changed

CHANGELOG.next.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ Thanks, you're awesome :-) -->
2525

2626
#### Improvements
2727

28+
* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
29+
2830
#### Deprecated
2931

3032
### Tooling and Artifact Changes

docs/fields/field-details.asciidoc

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8128,6 +8128,9 @@ type: keyword
81288128

81298129
Multi-fields:
81308130

8131+
* process.executable.caseless (type: keyword)
8132+
8133+
81318134
* process.executable.text (type: match_only_text)
81328135

81338136

@@ -8343,6 +8346,9 @@ type: keyword
83438346

83448347
Multi-fields:
83458348

8349+
* process.name.caseless (type: keyword)
8350+
8351+
83468352
* process.name.text (type: match_only_text)
83478353

83488354

experimental/generated/beats/fields.ecs.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5175,6 +5175,10 @@
51755175
type: keyword
51765176
ignore_above: 1024
51775177
multi_fields:
5178+
- name: caseless
5179+
type: keyword
5180+
normalizer: lowercase
5181+
ignore_above: 1024
51785182
- name: text
51795183
type: match_only_text
51805184
description: Absolute path to the process executable.
@@ -5213,6 +5217,10 @@
52135217
type: keyword
52145218
ignore_above: 1024
52155219
multi_fields:
5220+
- name: caseless
5221+
type: keyword
5222+
normalizer: lowercase
5223+
ignore_above: 1024
52165224
- name: text
52175225
type: match_only_text
52185226
description: 'Process name.
@@ -5482,6 +5490,11 @@
54825490
type: keyword
54835491
ignore_above: 1024
54845492
multi_fields:
5493+
- name: caseless
5494+
type: keyword
5495+
normalizer: lowercase
5496+
ignore_above: 1024
5497+
default_field: false
54855498
- name: text
54865499
type: match_only_text
54875500
default_field: false
@@ -5560,6 +5573,10 @@
55605573
type: keyword
55615574
ignore_above: 1024
55625575
multi_fields:
5576+
- name: caseless
5577+
type: keyword
5578+
normalizer: lowercase
5579+
ignore_above: 1024
55635580
- name: text
55645581
type: match_only_text
55655582
description: Absolute path to the process executable.
@@ -5598,6 +5615,10 @@
55985615
type: keyword
55995616
ignore_above: 1024
56005617
multi_fields:
5618+
- name: caseless
5619+
type: keyword
5620+
normalizer: lowercase
5621+
ignore_above: 1024
56015622
- name: text
56025623
type: match_only_text
56035624
description: 'Process name.
@@ -6012,6 +6033,11 @@
60126033
type: keyword
60136034
ignore_above: 1024
60146035
multi_fields:
6036+
- name: caseless
6037+
type: keyword
6038+
normalizer: lowercase
6039+
ignore_above: 1024
6040+
default_field: false
60156041
- name: text
60166042
type: match_only_text
60176043
default_field: false
@@ -6401,6 +6427,10 @@
64016427
type: keyword
64026428
ignore_above: 1024
64036429
multi_fields:
6430+
- name: caseless
6431+
type: keyword
6432+
normalizer: lowercase
6433+
ignore_above: 1024
64046434
- name: text
64056435
type: match_only_text
64066436
description: Absolute path to the process executable.
@@ -6644,6 +6674,10 @@
66446674
type: keyword
66456675
ignore_above: 1024
66466676
multi_fields:
6677+
- name: caseless
6678+
type: keyword
6679+
normalizer: lowercase
6680+
ignore_above: 1024
66476681
- name: text
66486682
type: match_only_text
66496683
description: 'Process name.
@@ -7230,6 +7264,10 @@
72307264
type: keyword
72317265
ignore_above: 1024
72327266
multi_fields:
7267+
- name: caseless
7268+
type: keyword
7269+
normalizer: lowercase
7270+
ignore_above: 1024
72337271
- name: text
72347272
type: match_only_text
72357273
description: Absolute path to the process executable.
@@ -7345,6 +7383,10 @@
73457383
type: keyword
73467384
ignore_above: 1024
73477385
multi_fields:
7386+
- name: caseless
7387+
type: keyword
7388+
normalizer: lowercase
7389+
ignore_above: 1024
73487390
- name: text
73497391
type: match_only_text
73507392
description: Absolute path to the process executable.
@@ -7383,6 +7425,10 @@
73837425
type: keyword
73847426
ignore_above: 1024
73857427
multi_fields:
7428+
- name: caseless
7429+
type: keyword
7430+
normalizer: lowercase
7431+
ignore_above: 1024
73867432
- name: text
73877433
type: match_only_text
73887434
description: 'Process name.

experimental/generated/csv/fields.csv

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -648,11 +648,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
648648
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
649649
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
650650
8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
651+
8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
651652
8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
652653
8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
653654
8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
654655
8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
655656
8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
657+
8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
656658
8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
657659
8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
658660
8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -688,6 +690,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
688690
8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
689691
8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
690692
8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
693+
8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
691694
8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
692695
8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
693696
8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -698,11 +701,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
698701
8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
699702
8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
700703
8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
704+
8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
701705
8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
702706
8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
703707
8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
704708
8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
705709
8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
710+
8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
706711
8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
707712
8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
708713
8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -762,6 +767,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
762767
8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
763768
8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
764769
8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
770+
8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
765771
8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
766772
8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
767773
8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -817,6 +823,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
817823
8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
818824
8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
819825
8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
826+
8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
820827
8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
821828
8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
822829
8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -850,6 +857,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
850857
8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
851858
8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
852859
8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
860+
8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
853861
8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
854862
8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
855863
8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -933,6 +941,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
933941
8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
934942
8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
935943
8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
944+
8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
936945
8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
937946
8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
938947
8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -950,11 +959,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
950959
8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
951960
8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
952961
8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
962+
8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
953963
8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
954964
8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
955965
8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
956966
8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
957967
8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
968+
8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
958969
8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
959970
8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
960971
8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.

experimental/generated/ecs/ecs_flat.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8426,6 +8426,11 @@ process.entry_leader.executable:
84268426
ignore_above: 1024
84278427
level: extended
84288428
multi_fields:
8429+
- flat_name: process.entry_leader.executable.caseless
8430+
ignore_above: 1024
8431+
name: caseless
8432+
normalizer: lowercase
8433+
type: keyword
84298434
- flat_name: process.entry_leader.executable.text
84308435
name: text
84318436
type: match_only_text
@@ -8487,6 +8492,11 @@ process.entry_leader.name:
84878492
ignore_above: 1024
84888493
level: extended
84898494
multi_fields:
8495+
- flat_name: process.entry_leader.name.caseless
8496+
ignore_above: 1024
8497+
name: caseless
8498+
normalizer: lowercase
8499+
type: keyword
84908500
- flat_name: process.entry_leader.name.text
84918501
name: text
84928502
type: match_only_text
@@ -8910,6 +8920,11 @@ process.executable:
89108920
ignore_above: 1024
89118921
level: extended
89128922
multi_fields:
8923+
- flat_name: process.executable.caseless
8924+
ignore_above: 1024
8925+
name: caseless
8926+
normalizer: lowercase
8927+
type: keyword
89138928
- flat_name: process.executable.text
89148929
name: text
89158930
type: match_only_text
@@ -9029,6 +9044,11 @@ process.group_leader.executable:
90299044
ignore_above: 1024
90309045
level: extended
90319046
multi_fields:
9047+
- flat_name: process.group_leader.executable.caseless
9048+
ignore_above: 1024
9049+
name: caseless
9050+
normalizer: lowercase
9051+
type: keyword
90329052
- flat_name: process.group_leader.executable.text
90339053
name: text
90349054
type: match_only_text
@@ -9090,6 +9110,11 @@ process.group_leader.name:
90909110
ignore_above: 1024
90919111
level: extended
90929112
multi_fields:
9113+
- flat_name: process.group_leader.name.caseless
9114+
ignore_above: 1024
9115+
name: caseless
9116+
normalizer: lowercase
9117+
type: keyword
90939118
- flat_name: process.group_leader.name.text
90949119
name: text
90959120
type: match_only_text
@@ -9779,6 +9804,11 @@ process.name:
97799804
ignore_above: 1024
97809805
level: extended
97819806
multi_fields:
9807+
- flat_name: process.name.caseless
9808+
ignore_above: 1024
9809+
name: caseless
9810+
normalizer: lowercase
9811+
type: keyword
97829812
- flat_name: process.name.text
97839813
name: text
97849814
type: match_only_text
@@ -10440,6 +10470,11 @@ process.parent.executable:
1044010470
ignore_above: 1024
1044110471
level: extended
1044210472
multi_fields:
10473+
- flat_name: process.parent.executable.caseless
10474+
ignore_above: 1024
10475+
name: caseless
10476+
normalizer: lowercase
10477+
type: keyword
1044310478
- flat_name: process.parent.executable.text
1044410479
name: text
1044510480
type: match_only_text
@@ -10849,6 +10884,11 @@ process.parent.name:
1084910884
ignore_above: 1024
1085010885
level: extended
1085110886
multi_fields:
10887+
- flat_name: process.parent.name.caseless
10888+
ignore_above: 1024
10889+
name: caseless
10890+
normalizer: lowercase
10891+
type: keyword
1085210892
- flat_name: process.parent.name.text
1085310893
name: text
1085410894
type: match_only_text
@@ -11833,6 +11873,11 @@ process.previous.executable:
1183311873
ignore_above: 1024
1183411874
level: extended
1183511875
multi_fields:
11876+
- flat_name: process.previous.executable.caseless
11877+
ignore_above: 1024
11878+
name: caseless
11879+
normalizer: lowercase
11880+
type: keyword
1183611881
- flat_name: process.previous.executable.text
1183711882
name: text
1183811883
type: match_only_text
@@ -12018,6 +12063,11 @@ process.session_leader.executable:
1201812063
ignore_above: 1024
1201912064
level: extended
1202012065
multi_fields:
12066+
- flat_name: process.session_leader.executable.caseless
12067+
ignore_above: 1024
12068+
name: caseless
12069+
normalizer: lowercase
12070+
type: keyword
1202112071
- flat_name: process.session_leader.executable.text
1202212072
name: text
1202312073
type: match_only_text
@@ -12079,6 +12129,11 @@ process.session_leader.name:
1207912129
ignore_above: 1024
1208012130
level: extended
1208112131
multi_fields:
12132+
- flat_name: process.session_leader.name.caseless
12133+
ignore_above: 1024
12134+
name: caseless
12135+
normalizer: lowercase
12136+
type: keyword
1208212137
- flat_name: process.session_leader.name.text
1208312138
name: text
1208412139
type: match_only_text

0 commit comments

Comments
 (0)