Searching Does not Return Results - Challenge

I have this log message in Elastic:
[{"Name":"UserAgent","Value":"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.13426; Pro)"} {"Name":"UserAuthenticationMethod","Value":"1"} {"Name":"RequestType","Value":"OAuth2:Token"} {"Name":"ResultStatusDetail","Value":"Success"} {"Name":"KeepMeSignedIn","Value":"false"}].

I have tried searching various ways for "OAuth2". Do you know how I can successfully search for it and get results?


Can you share what you have tried?


Is ExtendedProperties by any chance mapped as a nested field?

Do you know where the "path" comes from for a nested query or what query would I use to tell if there were nested fields?

Check the INDEXNAME/_mapping endpoint.

Does this help?

"ExtendedProperties" : {
"properties" : {
"*" : {
"type" : "object"

There is a bunch of these.
"ExtendedProperties" : {
"type" : "keyword",
"ignore_above" : 1024

Is there a way of knowing if it is a nested field or how to search and find this data?

It'd be useful if you posted the entire thing please. Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

The post is limited to 13000 characters. The output is over 58000. I am not finding a way to attach it as a text file. Do you have any suggestions?

Use gist/pastebin/etc.

1 Like

Were you able to review the index? What started this query is that there is a detection rule that looks at OAuth2; however, I am not able to confirm that it is working.
The paste bin post will be deleted in 4 hours, but I can repost it if necessary.

Any movement on this request?