I'm trying to figure out the best way I can build some dashboards or perform searches against the data field cisco.ftd.security from the Cisco FTD integration. When I attempt to search any of the terms in this field nothing comes back. I tried before to set the integration to save the original message but this adds a lot to the log sizes. The best scenario would be treating the individual items in the field as their own unique fields. Any suggestions welcome.
Still working on this in case somebody has input. I've found that the mapping for the field is supposed to be flattened. It's appearing as unknown so it won't let me search it, but I'm not sure what this means. This integration if fleet managed. I tried to make a data view for it, and still the data appears as unknown.