Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose Elasticsearch case insensitivity in EQL/KQL #134143

Open
rwaight opened this issue Jun 9, 2022 · 9 comments
Open

Expose Elasticsearch case insensitivity in EQL/KQL #134143

rwaight opened this issue Jun 9, 2022 · 9 comments
Labels
Feature:Event Correlation (EQL) Rule Security Solution Event Correlation (EQL) Rule feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@rwaight
Copy link
Contributor

rwaight commented Jun 9, 2022

Describe the feature: Add an option in Kibana to enable case_insensitive searches (added to Elasticsearch in 7.10, see elastic/elasticsearch#61546) for both KQL and EQL. This option would be available throughout Kibana, not only in Discover.

Describe a specific use case for the feature: In a security use case, we should enable security analysts to determine if their queries should be "case insensitive" or not, see elastic/ecs#1837 (comment) for additional information.

Also, I did not find any way to enable the case_insensitive option in Kibana except by using the "Edit as Query DSL" feature.

Other notes

I also looked at currently open issues in the Kibana repo. This request is not the same as the following:
@botelastic botelastic bot added the needs-team Issues missing a team label label Jun 9, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app-services (Team:AppServicesSv)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jun 10, 2022
@exalate-issue-sync exalate-issue-sync bot added the impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. label Jul 21, 2022
@rwaight rwaight mentioned this issue Nov 15, 2022
Closed
@petrklapka petrklapka added Feature:Search Querying infrastructure in Kibana Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. and removed Team:AppServicesSv labels Nov 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@willemdh willemdh mentioned this issue Dec 27, 2022
Closed
@lukasolson lukasolson changed the title Expose Elasticsearch case insensitivity in KQL/EQL Expose Elasticsearch case insensitivity in EQL Jan 23, 2023
@lukasolson
Copy link
Member

The work for KQL is tracked in a separate issue here: #55378

I'll re-label so this issue can relate to EQL only.

@lukasolson lukasolson added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Event Correlation (EQL) Rule Security Solution Event Correlation (EQL) Rule feature and removed Feature:Search Querying infrastructure in Kibana impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. labels Jan 23, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@rwaight
Copy link
Contributor Author

rwaight commented Jan 23, 2023

@lukasolson this request is not specific to EQL. The request is for:

Add an option in Kibana to enable case_insensitive searches (added to Elasticsearch in 7.10, see elastic/elasticsearch#61546) for both KQL and EQL. This option would be available throughout Kibana, not only in Discover.

Regarding the KQL issue you referenced, is the scope of #55378 changing? The request states:

Requesting the implementation of an UPPER() function in KQL to be applied to fields, converting the record content to all uppercase.

@lukasolson
Copy link
Member

@rwaight Yes, the scope is changing, I will update the linked issue. We just added support in the underlying package (kbn-es-query) for creating case-insensitive KQL queries, but this is currently not exposed. In the near future, we will expose this as either a parameter sent to the search bar, or an advanced setting (this still needs to be decided). Do you have a preference on how this parameter is exposed?

@legrego
Copy link
Member

legrego commented Jan 23, 2023

@lukasolson I see the kibana platform security team was tagged here -- how can we help with this?

@lukasolson lukasolson added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jan 23, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@lukasolson
Copy link
Member

@legrego Sorry, wrong tag, thanks for pointing this out!

@rwaight rwaight changed the title Expose Elasticsearch case insensitivity in EQL Expose Elasticsearch case insensitivity in EQL/KQL Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Event Correlation (EQL) Rule Security Solution Event Correlation (EQL) Rule feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kertal @lukasolson @legrego @elasticmachine @rwaight @petrklapka