I am trying to query my signals indices in Elastic and I would like the results to return only the fields that I am interested and my current challenge is that some of the fields are nested. I have tried various methods of writing my query but it either returns some fields or no fields at all.
I am using the source filter option that I have found on the internet and this works for the fields that are not nested. Could someone please assist me with correct way of writing my query statement?
My ultimate goal is to pass some of the data from an Alert into an external system that will create a case based on the alert details.
I have also noticed that my returned results contain a key _source which has a nested key, value pair of message so that is why the query sometimes returns results and other times it does not.
Here is a sample of of my get request, I am testing using Postman API and I have the following GET request http://10.12.12.12:9200/.siem/_search?pretty*
{
"_source": ["message", "ip"],
"query": {
"range" : {
"@timestamp": {
"gte": "2020-06-22"
}
}
}
}
Below is a sample of the results being returned.
"index": [
"winlogbeat-*"
],
"interval": "5m",
"language": "kuery",
"name": "Remote Logins via RDP",
"query": "winlog.event_data.LogonType : \"3\" and event.type: \"authentication_success\" and host.hostname :\"testbox\" ",
"references": [],
"severity": "critical",
"tags": [],
"type": "query",
"to": "now",
"enabled": true,
"filters": [],
"created_by": "some_user",
"updated_by": "some_user",
"threat": [],
"version": 1,
"created_at": "2020-06-09T14:18:39.289Z",
"updated_at": "2020-06-09T14:18:40.327Z"
},
"original_event": {
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2020-06-10T00:34:46.584Z",
"module": "security",
"outcome": "success",
"type": "authentication_success",
"code": 4624,
"action": "logged-in",
"category": "authentication",
"kind": "event"
}
}