1- Too long for visualizations. As you can see below. The data field name such as:
event_data.DestinationIP.Keyword is too long and plus the word "Descending", pushes the column name "count" to the right. So my visualization needs to be a certain size to accommodate the columns I want to show. If I reduce its size, I dont see the "Count column"
2- Too long to type queries manually. lets say i want to create chains of events to know processes calling out to a specific external IP address via a specific port name:
event_data.Image: "C:\bla\bla\bla.exe AND event_data.DestinationIP: "x.x.x.x" AND event_data.DestinationPortName: "https"
it could be:
image: C:\bla\bla\bla.exe AND DestinationIP: "x.x.x.x" AND DestinationPortName: "https"
Thats it. If most people are using them as is, then I will just using the data fields like that. I just wasnt sure if the "event_data" part added to the original data field name was something that I needed to split or take out to clean how the data fields are presented. Once again, I am new to Winlogbeat sending the logs. I used nxlog in the past and the logs are sent and named the way how they are presented in the raw log. For example, the log showed below will keep the same data field names without adding "event_data".
however, according to what you posted before, thats the way how Winlogbeat tags events so that we dont have to use Grok to parse logs properly