Support flat ecs schema

[eliranDream]

Hello there, When I working with elastic I'm dealing with ECS schema. But the json I got from elastic looks flat. for example:

              "file.path":"aaa.exe",
              "process.entity_id": "abv",
              "process.pid": "1234",
...

I want to know if there is a way to use the ECS flat schema as event ?

[markuskont]

Hmm. Problem here is that the backing library I wrote to deal with nested JSON keys in dot notation assume recursion. If the actual JSON returned by elastic is flat, it pretty much goes against the assumption here.

Thing is, the default JSON handler is just a reference implementation to support examples and some tools I made myself. Sigma engine does not care how the values are handled. It only defines interfaces for doing Selection and Keywords lookups. But you could easily implement your own wrapper around map[string]any that does literal lookups instead.