Add lowercase normaliser to ECS fields which support security incident response process

Question

Add lowercase normaliser to ECS fields which support security incident response process

mbudge opened this issue a year ago · 1 comments

Hi,

Here's an example of fields where we believe there is a strong use case to apply the lowercase normaliser.

host.name
host.domain
user.domain
user.name
related.user
related.hosts
url.registered_domain
dns.question.name
dns.question.registered_domain
email addresses
hashes like md5, sha1 and sha256 can be upper or lowercase
process.name
process.executable
threat.indicator.url.domain
url.domain

An example of why this is useful is our IT team pass usernames round in uppercase, whereas our security analyst team have to search logs in lowercase. Applying the lowercase normaliser will make these fields case insensitive. This reduces the chance of human error. These fields can be different cases in the log data. Applying the lowercase normaliser will improve usability.

Thanks