It appears that any nested data - e.g. from EventData - will be overwritten if the field exists on the event itself.

For example, please see your documentation on sysmon.  Notice that ProcessID is a field on the event, and is also a field under EventData, albeit with different data.

The resulting JSON output includes only the ProcessID from the event itself, not from the eventdata.  In the example at the link, notice that the Event.ProcessID is 1680.  The Event.EventID.ProcessID is 25848.  Notice that the data from the latter (generally more specific to this type of event, and thus generally more important) is not available as structured data anywhere.

Personally I'm not using this at the moment, but, I could see many situations where the generic Event fields overwrite valuable information from Event Data.



AskedJanuary 12, 2017 - 4:04pm

Answer (1)