From d3b869b266ede9da098e13a9caa482128294d005 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 22 May 2024 16:02:54 -0300
Subject: [PATCH] Add .caseless subfield to process.name & process.executable

---
 CHANGELOG.next.md   | 2 ++
 schemas/process.yml | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 5996082bf8..5645f344a4 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/schemas/process.yml b/schemas/process.yml
index 91c8ef98ef..b1acf8945c 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -112,6 +112,10 @@
         Sometimes called program name or similar.
       example: ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text
 
@@ -171,6 +175,10 @@
         Absolute path to the process executable.
       example: /usr/bin/ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text