At the moment, the documented string functions in eql (https://eql.readthedocs.io/en/latest/query-guide/functions.html) have an inconsistent behavior when it comes to case sensitivity. All of them, with the exception of between function deal with strings in a case insensitive way.
Case insensitive functions
- arrayContains
- endsWith
- indexOf
- match
- startsWith
- stringContains
- wildcard
Case sensitive functions
- between which has two additional parameters, one of which configures it to be case sensitive or not (default is
false)
This issue is for deciding on a path forward regarding the case sensitivity aspect in ES EQL string functions.
Proposals:
- ES EQL should mirror exactly the functionality in EQL
- con: inconsistent implicit functions behavior
- pro: the two implementations are fully compatible
- ES EQL should handle both cases of case sensitive and insensitive functionality by giving the users the power of choice through an additional functionality: LOWER and UPPER functions that should perform lowercasing/uppercasing. These two functions, combined with existent functions will help with case insensitive behavior. For example:
file where startsWith(lower(file_name), lower('expLORER.exe'))
- cons:
- a less user-friendly behavior, because users need to use an additional function for the same behavior they get in EQL
- ES EQL and EQL will diverge in functionality
- pro: a more powerful functionality for users, since they now the possibility of matching exactly strings in their functions
- This is a variant of first option where, by default, the behavior of ES EQL will be the same as EQL, but offering users the possibility of changing this behavior through a session-level parameter (either fully case sensitive or fully case insensitive):
- con: cannot use case insensitive and case sensitive functionality in the same query
- pro: the two implementations are fully compatible
These are just some ideas and we don't have to choose one or another. The list is open for discussion, suggestions are welcomed.
At the moment, the documented string functions in eql (https://eql.readthedocs.io/en/latest/query-guide/functions.html) have an inconsistent behavior when it comes to case sensitivity. All of them, with the exception of between function deal with strings in a case insensitive way.
Case insensitive functions
Case sensitive functions
false)This issue is for deciding on a path forward regarding the case sensitivity aspect in ES EQL string functions.
Proposals:
file where startsWith(lower(file_name), lower('expLORER.exe'))These are just some ideas and we don't have to choose one or another. The list is open for discussion, suggestions are welcomed.