Hello,
I am using Elastic's Azure Integration to collect AD Audit logs. Everything is working as expected but I find the schema logic to be hard to work with.
The managed ingest pipeline runs a script to map out nested arrays in JSON. I understand why this was done. The Nested JSON has created fields like these:
azure.auditlogs.properties.target_resources.0.display_name
azure.auditlogs.properties.target_resources.1.display_name
azure.auditlogs.properties.target_resources.2.display_name
These are the same field but different values. Because its not under one field azure.auditlogs.properties.target_resources.display_name
, I am not sure how I can use these fields for visualizations.
But any advice on how to make use of this mapping structure. Perhaps there's a way I can improve on this via ingest pipeline?
Thanks