[Enhancement] Add ".caseless" fields to MDE process events

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.15.1"
+  changes:
+    - description: Add caseless fields to process events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11020
 - version: "2.15.0"
   changes:
     - description: Fix OS assignment for Windows devices.

packages/m365_defender/data_stream/event/fields/ecs.yml

@@ -1,2 +1,20 @@
 - name: process.parent.group_leader.name
   type: keyword
+- external: ecs
+  name: process.executable
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
+- external: ecs
+  name: process.name
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text

packages/m365_defender/docs/README.md

@@ -850,6 +850,12 @@ This is the `event` dataset.
 | process.Ext.api.parameters.protection | The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect`. | keyword |
 | process.Ext.api.parameters.size | The size of parameter values passed to the API call. | long |
 | process.Ext.token.integrity_level_name | Integrity level that determine the levels of protection or access for a principal used by Mandatory Integrity Control (MIC). | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.caseless | Multi-field of `process.executable`. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.caseless | Multi-field of `process.name`. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
 | process.parent.group_leader.name |  | keyword |
 | url.user_info |  | keyword |
 

packages/m365_defender/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: m365_defender
 title: Microsoft M365 Defender
-version: "2.15.0"
+version: "2.15.1"
 description: Collect logs from Microsoft M365 Defender with Elastic Agent.
 categories:
   - "security"