Elastic Flattened Fields Explained

[post-views]
November 25, 2024 · 1 min read
Elastic Flattened Fields Explained

Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud.

For instance, if we had the following JSON in a flattened field called “user”:

{
    "User": {
        "Path": "/",
        "UserName": "Bobby",
        "UserId": "AIDAIOSFOPLL2EXAMPAA",
        "Arn": "arn:aws:iam::12345677701:user/Bobby",
        "CreateDate": "2024-06-22T17:50:52+00:00",
        "PermissionsBoundary": {
        "PermissionsBoundaryType": "Policy",
        "PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        }
    }
}
We could perform any one of the following searches and get any log with the above user field returned.
user:*AmazonS3FullAccess*
----
user:*12345677701*
----
user:*Bobby*

Elastic advertises such flattened fields with the following ICON – 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts