Source: socprime.com – Author: Adam Swan
Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud.
For instance, if we had the following JSON in a flattened field called “user”:
{
"User": {
"Path": "https://socprime.com/",
"UserName": "Bobby",
"UserId": "AIDAIOSFOPLL2EXAMPAA",
"Arn": "arn:aws:iam::12345677701:user/Bobby",
"CreateDate": "2024-06-22T17:50:52+00:00",
"PermissionsBoundary": {
"PermissionsBoundaryType": "Policy",
"PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
}
}
We could perform any one of the following searches and get any log with the above user field returned.
user:*AmazonS3FullAccess*
----
user:*12345677701*
----
user:*Bobby*
Elastic advertises such flattened fields with the following ICON:
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/elastic-flattened-fields-explained/
Category & Tags: Blog,Knowledge Bits,Elastic,SIEM,SIEM & EDR – Blog,Knowledge Bits,Elastic,SIEM,SIEM & EDR
Views: 2