Interacting with PowerShell logs has been complicated for a long time, as EQL doesn't support text fields. For them to work with KQL, we needed to adjust field types, analyzers, etc. Then in 8.12 we had bugs in how KQL parses backslashes & wildcards and had to adapt and use Query DSL for exceptions.
This issue aims to evaluate whether using ES|QL and the TO_LOWER function can simplify rule writing and maintenance/tuning.
### Meta Tasks
- [ ] Convert sample queries and test with PowerShell data
- [ ] Evaluate if `min_stack` is needed for ES|QL functions or language changes
- [ ] Convert rules and exceptions
- [ ] PR to detection rules
Epic Link
No response
Meta Summary
Summary
Interacting with PowerShell logs has been complicated for a long time, as EQL doesn't support text fields. For them to work with KQL, we needed to adjust field types, analyzers, etc. Then in 8.12 we had bugs in how KQL parses backslashes & wildcards and had to adapt and use Query DSL for exceptions.
This issue aims to evaluate whether using ES|QL and the
TO_LOWERfunction can simplify rule writing and maintenance/tuning.Estimated Time to Complete
1 week
Potential Blockers
Tasking
Potential References