Is it currently being ingested by the module?
Looking at the current content types we support it should grab these by default:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General
- DLP.All
The module itself has some underlying javascript to preprocess some of the content like these nested objects most likely, but it kinda depends on how the data looks like.
Is it a list of JSON objects like
[{
"investigation": "1",
"details": "somedetails"
},
{
"investigation": "2",
"details": "someotherdetails"
}].
It depends on the data and what you want to do with it. For example if you only want to create an array of investigation details, let's say usernames, then you can use the foreach processor to run through the list of objects and append them to something, you can also modify it with a script processor depending on your knowledge of programming.
If you could share maybe a sample of the data and a bit on how you want it to look like in the end then I could maybe help you further.