I am using Elastic's Azure Integration to collect AD Audit logs. Everything is working as expected but I find the schema logic to be hard to work with.
The managed ingest pipeline runs a script to map out nested arrays in JSON. I understand why this was done. The Nested JSON has created fields like these:
These are the same field but different values. Because its not under one field
azure.auditlogs.properties.target_resources.display_name , I am not sure how I can use these fields for visualizations.
But any advice on how to make use of this mapping structure. Perhaps there's a way I can improve on this via ingest pipeline?