[Security Solution] exceptions with "is one of" case sensitivity mismatch when defining exception and when the exception is evaluated

[buzzdeee]

Describe the bug:

When defining detection rule exception, adding a string, the string added is case insensitive. However, when the detection rule is run, the exception is taken case senstive, and the defined exception is not counted.

As an example take the: Local Service Commands Detection rule.

I've an exception defined, alike:

process.command_line is one of "C:\WINDOWS\system32\sc.exe start w32time task_started" 

However, the rule fires, when process.command_line is:

"C:\Windows\system32\sc.exe start w32time task_started"

So I tried to add "C:\Windows\system32\sc.exe start w32time task_started" as a second value to the "is one of" but I can't add it, as I get: C:\WINDOWS\system32\sc.exe start w32time task_started has already been added.

As at least Windows is case insensitive to names on the file system, and have to deal with different windows versions, I observed that in a number of cases.

Kibana/Elasticsearch Stack version:

7.12.0

Server OS version:

Ubuntu 18.04

Browser and Browser OS versions:

Firefox 87.0 Windows 10

Elastic Endpoint version:

not using elastic endpoint, just *beats.

Original install method (e.g. download page, yum, from source, etc.):

ubuntu packages

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

detection rules exceptions

Steps to reproduce:

1. see bug description

Current behavior:

detection rule exceptions are handled case sensitive, however, When defining rule excetions with "is one of", then I can't add "duplicate" values, even they differ in case sensitivity.

Expected behavior:

As the exceptions are evaluated case sensitive, I should be able to add multiple values to "is one of" types of rule exceptions that only differ due to case sensitivity.

Alternatively, there might be an option to explicitly say I want the value(s) match case sensitive or case insensitive.

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

My current work-around is to add a second independent exception.

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[dplumlee]

At the moment, the issue within the code is the EuiComboBox not supporting case sensitive custom options. With certain fields, there's a .caseless suffix that solves this on the detection engine side of things but for now there's no workaround with our current setup. I'll speak to the EUI team about getting a fix in for this functionality

[yctercero]

@peluja1012 maybe we can revisit this in our 8.4 work?

[approksiu]

Another similar request- https://github.com/elastic/enhancements/issues/18664

[pborgonovi]

Tried to reproduce the behavior on latest 8.15 BC:

As per evidences above, user is able to add duplicate entries because field is case insensitive.

I'm closing this issue as fixed.