[SIEM] Autonomous System fields as nested fields

[olivierbuez]

Kibana version: 7.7.1 Elasticsearch version: 7.7.1 Server OS version: Running in from docker.elastic.co/elasticsearch/elasticsearch:7.7.1 Browser version: Google Chrome 84.0.4147.125 Original install method (e.g. download page, yum, from source, etc.): Usual docker run Describe the bug: Kibana SIEM can't render autonomous system (destination.as, source.as, host.as, ...) when it's a nested field. Steps to reproduce:

1. Index a nested field as destination.as

{
        "@timestamp": "2020-08-17T09:38:59.336Z",
    "destination": {
        "ip": "4.4.4.4",
        "as": [
            {"organization": {"name": "OOO"}, "number": 1236},
                        {"organization": {"name": "TTT"}, "number": 2354}
        ]
    },
    "source": {
        "ip": "4.4.4.4.",
        "as": [
            {"organization": {"name": "OOO"}, "number": 1236},
                        {"organization": {"name": "TTT"}, "number": 2354}
        ]
    }
}

2. Go to look the result in the SIEM app where autonomous system information is rendered.

Expected behavior: I expect to see "OOO", 1236; "TTT", 2354 in SIEM => Network => Flows below "autonomous system" column instead of empty.

Screenshots (if relevant):

Errors in browser console (if relevant): No errors when using a nested field.

Any additional context: I initially started the discussion on https://discuss.elastic.co/t/some-kibana-siem-feature-not-working-with-arrays/245029.

One would say the autonomous system should never be a nested field / array as the relation with network is one-to-many, never the other way around. The thing is, what do I do if I face two IPs (from the same field) belonging to different autonomous system (think of host.ip) ? Do I loose information or do I use a nested field / array ? I'm strongly convinced Kibana SIEM must handle this case.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)