We use logstash to lowercase most fields used in detections. I was hoping the new wildcard field type would get around the issue of case-insensitivity in the detections rules (not including EQL)
Any recommendations or ideas? I was considering flipping the index fields so that the main field is text and multi-field is keyword.
Hey @probson,
You don't have to use the new wildcard field type for case-insensitive queries. You can perform case-insensitive checks at search time using query DSL or EQL.
If you use EQL to write detections, you can make your logic case-insensitive by using the colon :. For example process.name : "cmd.exe" is the case-insensitive version of process.name == "cmd.exe".
Hi @rw-access
EQL has been good for us, it was more the elastic built detections that use KQL.
Thanks
Phil
I like the way you think! We've actually been updating a lot of them in 7.11 to use EQL specifically for case-insensitivity. Hopefully we remove all case-sensitivity evasions as part of the effort.
If you'd like, you can follow along in GitHub with the tag: kql-to-eql
Thats great, so moving away from KQL, i had only looked at it as a sequence based rather than single hits.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.