Deprecate guidance to lowercase "http.request.method" #838
Description
It was recently raised that lowercasing http.request.method was a lossy normalization on a field that captures potentially suspicious behaviour.
E.g. an attacker could try to evade detection by using "PoST" instead of "POST".
Fields that currently suggest lowercasing the value are the following:
http.request.methodnetwork.typenetwork.transportnetwork.applicationnetwork.protocoltls.version_protocol
Other than the HTTP field for now, our stance is to leave the normalization in place. They're not places where we would usually need to do anomaly detection around letter casing. These values are provided by the data sources themselves. Feedback is welcome on this, however.
So the proposal is to mark this guidance as deprecated, and remove this guidance completely at ECS 2.0.