Add lowercase normaliser to related fields #2349
Description
Hi
Fields like user.name, user.target.name and host.name, url.domain, url.path, process.name, process.executable, process.command_line are at the top of the list of fields which should have the lowercase normaliser in the mappings. Users keep missing logs because they search with the wrong case.
All someone has to do is rename cmd.exe to CMD.exe and the logs are missed when the analyst searches for cmd.exe... Unless the lowercase normaliser is applied. This probably affects the SIEM security alerting too!
Why not add the lowercase normaliser to related.user, related.hosts as a minimum???
KQL is still the core search language but it's case sensitive....
Thanks,
Matthew