Add case handling for URL normalization in rule

Author: Aegrah

rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml

@@ -45,8 +45,13 @@ from
   logs-iis.access-*
 | where
     @timestamp > now() - 1 hours and
+    (url.original is not null or url.full is not null) and
     http.request.method == "GET" and 
     http.response.status_code in (404, 403)
+
+| eval Esql_url_text  = case(url.original is not null, url.original, url.full)
+| eval Esql_url_lower = to_lower(Esql_url_text)
+
 | keep
     @timestamp,
     event.dataset,
@@ -55,10 +60,11 @@ from
     url.path,
     source.ip,
     agent.id,
-    host.name
+    host.name,
+    Esql_url_lower
 | stats
     Esql.event_count = count(),
-    Esql.url_path_count_distinct = count_distinct(url.path),
+    Esql.url_lower_count_distinct = count_distinct(Esql_url_lower),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
     Esql.http_request_method_values = values(http.request.method),
@@ -67,7 +73,7 @@ from
     Esql.event_dataset_values = values(event.dataset)
     by source.ip
 | where
-  Esql.event_count > 500 and Esql.url_path_count_distinct > 250
+  Esql.event_count > 500 and Esql.url_lower_count_distinct > 250
 | limit 100
 '''