Elastic Flattened Fields Explained – Technology Security Information

Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud.

JOIN FOR FREE

For instance, if we had the following JSON in a flattened field called “user”:

{

"User": {

"Path": "/",

"UserName": "Bobby",

"UserId": "AIDAIOSFOPLL2EXAMPAA",

"Arn": "arn:aws:iam::12345677701:user/Bobby",

"CreateDate": "2024-06-22T17:50:52+00:00",

"PermissionsBoundary": {

"PermissionsBoundaryType": "Policy",

"PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"

}

We could perform any one of the following searches and get any log with the above user field returned.

user:*AmazonS3FullAccess*

----

user:*12345677701*

----

user:*Bobby*

Elastic advertises such flattened fields with the following ICON:

The post Elastic Flattened Fields Explained appeared first on SOC Prime.

Related Posts

Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia

Stealthy Strela Stealer Detection: Info-Stealing Malware Resurfaces with Enhanced Capabilities to Target Central and Southwestern Europe

What is Quantum Ransomware?

Earth Simnavaz (aka APT34) Attack Detection: Iranian Hackers Leverage Windows Kernel Vulnerability to Target UAE and Gulf Region