While I understand the reasoning behind the flattened data type, is there an easy way to split key value pairs out as their own field to use with dashboards / aggregations etc.
IE - m365_defender.event.activity.objects is below
I would like to have access to m365_defender.event.activity.objects.Role / type / value ETC...while I know you can query flattened values, I would like to make dashboards surrounding the values.
[
{
"Role": "Parameter",
"Type": "Structured object",
"Value": "99999",
"ServiceObjectType": "Session ID"
},
{
"Role": "Target object",
"Type": "Task",
"Name": "MailItemsAccessed"
},
{
"Role": "Parameter",
"Type": "Property",
"Value": "Bind",
"Name": "MailAccessType"
},
{
"Role": "Parameter",
"Type": "Property",
"Value": "False",
"Name": "IsThrottled"
},
{
"Role": "Actor",
"Type": "User",
"ApplicationInstance": 0,
"Id": "99999",
"ApplicationId": 99999,
"Name": "Random User 01"
}
]