feat: ✨ Add elastic Casesensitive pipeline

frack113 · Apr 26, 2024 · 8a62761 · 8a62761
1 parent b84b208
commit 8a62761
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ You can use them, improve them or add new ones.
 ## elastic
 - ecs_1_winlogbeat ECS 1.xx winlogbeat field mapping 
 - ecs_1_filebeat ECS 1.xx filebeat field mapping (only auditd module)
+- ecs_1_casesensitive Use regex to make Case Insensitive search
 
 ## misc
 - placerholder from [sigmahq bloq](https://blog.sigmahq.io/building-flexible-detections-with-sigma-placeholders-7c1b814e2860)

diff --git a/elastic/ecs_1_casesensitive.yml b/elastic/ecs_1_casesensitive.yml
@@ -0,0 +1,11 @@
+name: Elastic CaseSensitive
+priority: 20
+transformations:
+  - id: field_case
+    type: regex
+    method: ignore_case_brackets
+    field_name_conditions:
+      - type: include_fields
+        fields: 
+          - Image
+          - CommandLine