lowercase causes missed detections and broken searches

[neu5ron]

In the Zeek HTTP file, there is a lowercasing of http.request.method - shown here:

beats/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml

Line 53 in f39d869

- lowercase:

http.request.method will have values of POST, GET, OPTIONS, etc... the vast majority of dashboards, visualizations, searches, threat hunts, etc.. are all built on how the vast majority of HTTP requests work ie: the value of GET for outbound stuff or POST for inbound web attacks.
couple this with values being case sensitive, there is no even "fail safe" that would have made this not such an impactful thing.
also, this field can be used for anomalous variations of the above, such as looking for PoST.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[leehinman]

I definitely should have marked this as a breaking change, I'll fix that.

The reason for making it lowercase is because it is an ECS field and the doc for the field is:

HTTP request method.

The field value must be normalized to lowercase for querying.
See the documentation section "Implementing ECS".

type: keyword

example: get, post, put

@webmat & @MikePaquette thoughts?

What do you think about having "zeek.http.method" as the unmodified request method?

[neu5ron]

cross reference for Suricata too, same scenario -

beats/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml

Line 5 in 6d7d919

- lowercase:

[leehinman]

And Apache & nginx