EQL: Introduce case insensitive variant in~ (#68176) (#68204)

Complement to in, in~ does case-insensitive matching without any
pattern matching - : should be used instead.

process where name in~ ("ExPLorEr.eXe")

will match name against explorer.exe regardless of case.

Fix #68172

Author: costin

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -326,3 +326,32 @@ query = '''
 file where wildcard(file_name, "winini?.exe", "lsass.e?e") and opcode == 2
 '''
 expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "insensitiveInSingleArg"
+query = 'process where string(serial_event_id) in~ ("1")'
+expected_event_ids  = [1]
+
+[[queries]]
+name = "insensitiveInSingleArgPatternVerbatimMatch"
+query = 'process where string(serial_event_id) in~ ("1*")'
+expected_event_ids  = []
+
+[[queries]]
+name = "insensitiveInSingleArgPatternQuestionMarkVerbatimMatch"
+query = 'process where string(serial_event_id) in~ ("1?")'
+expected_event_ids  = []
+
+[[queries]]
+name = "insensitiveInMultipleArgs"
+query = '''
+file where file_name in~ ("wininit.exe", "lsass.exe") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "insensitiveMultipleArgsWildcardPatternVerbatimMatch"
+query = '''
+file where file_name in~ ("winini*.exe", "lsass.e?e") and opcode == 2
+'''
+expected_event_ids  = []

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -99,7 +99,7 @@ operatorExpression
 //   https://github.com/antlr/antlr4/issues/780
 //   https://github.com/antlr/antlr4/issues/781
 predicate
-    : NOT? kind=IN LP expression (COMMA expression)* RP
+    : NOT? kind=(IN | IN_INSENSITIVE) LP expression (COMMA expression)* RP
     | kind=SEQ constant
     | kind=SEQ LP constant (COMMA constant)* RP
     ;
@@ -162,6 +162,7 @@ ANY: 'any';
 BY: 'by';
 FALSE: 'false';
 IN: 'in';
+IN_INSENSITIVE : 'in~';
 JOIN: 'join';
 MAXSPAN: 'maxspan';
 NOT: 'not';

x-pack/plugin/eql/src/main/antlr/EqlBase.tokens

@@ -3,79 +3,81 @@ ANY=2
 BY=3
 FALSE=4
 IN=5
-JOIN=6
-MAXSPAN=7
-NOT=8
-NULL=9
-OF=10
-OR=11
-SEQUENCE=12
-TRUE=13
-UNTIL=14
-WHERE=15
-WITH=16
-SEQ=17
-ASGN=18
-EQ=19
-NEQ=20
-LT=21
-LTE=22
-GT=23
-GTE=24
-PLUS=25
-MINUS=26
-ASTERISK=27
-SLASH=28
-PERCENT=29
-DOT=30
-COMMA=31
-LB=32
-RB=33
-LP=34
-RP=35
-PIPE=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-QUOTED_IDENTIFIER=41
-TILDE_IDENTIFIER=42
-LINE_COMMENT=43
-BRACKETED_COMMENT=44
-WS=45
+IN_INSENSITIVE=6
+JOIN=7
+MAXSPAN=8
+NOT=9
+NULL=10
+OF=11
+OR=12
+SEQUENCE=13
+TRUE=14
+UNTIL=15
+WHERE=16
+WITH=17
+SEQ=18
+ASGN=19
+EQ=20
+NEQ=21
+LT=22
+LTE=23
+GT=24
+GTE=25
+PLUS=26
+MINUS=27
+ASTERISK=28
+SLASH=29
+PERCENT=30
+DOT=31
+COMMA=32
+LB=33
+RB=34
+LP=35
+RP=36
+PIPE=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+QUOTED_IDENTIFIER=42
+TILDE_IDENTIFIER=43
+LINE_COMMENT=44
+BRACKETED_COMMENT=45
+WS=46
 'and'=1
 'any'=2
 'by'=3
 'false'=4
 'in'=5
-'join'=6
-'maxspan'=7
-'not'=8
-'null'=9
-'of'=10
-'or'=11
-'sequence'=12
-'true'=13
-'until'=14
-'where'=15
-'with'=16
-':'=17
-'='=18
-'=='=19
-'!='=20
-'<'=21
-'<='=22
-'>'=23
-'>='=24
-'+'=25
-'-'=26
-'*'=27
-'/'=28
-'%'=29
-'.'=30
-','=31
-'['=32
-']'=33
-'('=34
-')'=35
-'|'=36
+'in~'=6
+'join'=7
+'maxspan'=8
+'not'=9
+'null'=10
+'of'=11
+'or'=12
+'sequence'=13
+'true'=14
+'until'=15
+'where'=16
+'with'=17
+':'=18
+'='=19
+'=='=20
+'!='=21
+'<'=22
+'<='=23
+'>'=24
+'>='=25
+'+'=26
+'-'=27
+'*'=28
+'/'=29
+'%'=30
+'.'=31
+','=32
+'['=33
+']'=34
+'('=35
+')'=36
+'|'=37

x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens

@@ -3,79 +3,81 @@ ANY=2
 BY=3
 FALSE=4
 IN=5
-JOIN=6
-MAXSPAN=7
-NOT=8
-NULL=9
-OF=10
-OR=11
-SEQUENCE=12
-TRUE=13
-UNTIL=14
-WHERE=15
-WITH=16
-SEQ=17
-ASGN=18
-EQ=19
-NEQ=20
-LT=21
-LTE=22
-GT=23
-GTE=24
-PLUS=25
-MINUS=26
-ASTERISK=27
-SLASH=28
-PERCENT=29
-DOT=30
-COMMA=31
-LB=32
-RB=33
-LP=34
-RP=35
-PIPE=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-QUOTED_IDENTIFIER=41
-TILDE_IDENTIFIER=42
-LINE_COMMENT=43
-BRACKETED_COMMENT=44
-WS=45
+IN_INSENSITIVE=6
+JOIN=7
+MAXSPAN=8
+NOT=9
+NULL=10
+OF=11
+OR=12
+SEQUENCE=13
+TRUE=14
+UNTIL=15
+WHERE=16
+WITH=17
+SEQ=18
+ASGN=19
+EQ=20
+NEQ=21
+LT=22
+LTE=23
+GT=24
+GTE=25
+PLUS=26
+MINUS=27
+ASTERISK=28
+SLASH=29
+PERCENT=30
+DOT=31
+COMMA=32
+LB=33
+RB=34
+LP=35
+RP=36
+PIPE=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+QUOTED_IDENTIFIER=42
+TILDE_IDENTIFIER=43
+LINE_COMMENT=44
+BRACKETED_COMMENT=45
+WS=46
 'and'=1
 'any'=2
 'by'=3
 'false'=4
 'in'=5
-'join'=6
-'maxspan'=7
-'not'=8
-'null'=9
-'of'=10
-'or'=11
-'sequence'=12
-'true'=13
-'until'=14
-'where'=15
-'with'=16
-':'=17
-'='=18
-'=='=19
-'!='=20
-'<'=21
-'<='=22
-'>'=23
-'>='=24
-'+'=25
-'-'=26
-'*'=27
-'/'=28
-'%'=29
-'.'=30
-','=31
-'['=32
-']'=33
-'('=34
-')'=35
-'|'=36
+'in~'=6
+'join'=7
+'maxspan'=8
+'not'=9
+'null'=10
+'of'=11
+'or'=12
+'sequence'=13
+'true'=14
+'until'=15
+'where'=16
+'with'=17
+':'=18
+'='=19
+'=='=20
+'!='=21
+'<'=22
+'<='=23
+'>'=24
+'>='=25
+'+'=26
+'-'=27
+'*'=28
+'/'=29
+'%'=30
+'.'=31
+','=32
+'['=33
+']'=34
+'('=35
+')'=36
+'|'=37

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveEquals.java

@@ -8,18 +8,13 @@
 
 import org.elasticsearch.xpack.ql.expression.Expression;
 import org.elasticsearch.xpack.ql.expression.predicate.Negatable;
-import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.BinaryComparisonProcessor.BinaryComparisonOperation;
 import org.elasticsearch.xpack.ql.tree.NodeInfo;
 import org.elasticsearch.xpack.ql.tree.Source;
 
 import java.time.ZoneId;
 
 public class InsensitiveEquals extends InsensitiveBinaryComparison implements Negatable<InsensitiveBinaryComparison> {
 
-    public InsensitiveEquals(Source source, Expression left, Expression right) {
-        this(source, left, right, null);
-    }
-
     public InsensitiveEquals(Source source, Expression left, Expression right, ZoneId zoneId) {
         super(source, left, right, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.SEQ, zoneId);
     }
@@ -46,6 +41,6 @@ public InsensitiveBinaryComparison negate() {
 
     @Override
     protected String regularOperatorSymbol() {
-        return BinaryComparisonOperation.EQ.symbol();
+        return "in";
     }
 }