-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate guidance to lowercase "http.request.method" #838
Labels
Comments
3 tasks
ebeahan
changed the title
Removing guidance to lowercase "http.request.method"
Deprecate guidance to lowercase "http.request.method"
Apr 15, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It was recently raised that lowercasing
http.request.method
was a lossy normalization on a field that captures potentially suspicious behaviour.E.g. an attacker could try to evade detection by using "PoST" instead of "POST".
Fields that currently suggest lowercasing the value are the following:
http.request.method
network.type
network.transport
network.application
network.protocol
tls.version_protocol
Other than the HTTP field for now, our stance is to leave the normalization in place. They're not places where we would usually need to do anomaly detection around letter casing. These values are provided by the data sources themselves. Feedback is welcome on this, however.
So the proposal is to mark this guidance as deprecated, and remove this guidance completely at ECS 2.0.
The text was updated successfully, but these errors were encountered: