How to over ride Entity data? e.g. entity.user

Question

I am trying to overwrite as well as add some entity data for enrichement.

I am trying the following parser extension to the Azure AD Organizational Context

filter {

  json {
    source => "message"
    array_function => "split_columns"
    on_error => "not_json"
  }

  mutate {
    replace => {
        "username" => "%{userPrincipalName}"
    }
    on_error => "no_upn"
  }
  if ![no_upn] {
    mutate {
      replace => {
#        "aadcontext_event.idm.read_only_udm.principal.user.userid" => "%{username}"
        "$entity.user.userid" => "%{username}"
      }
    }
  }

  mutate {
    replace => {"employeetype" => "%{extension_29d326fe90944c75bdc8889fcfa9a2ea_extensionAttribute10}"}
    on_error => "no_extenstionattribute10"
  }
  if ![no_extenstionattribute10] {
    mutate {
      replace => {
        "asset_attribute_roles_name" => "%{employeetype}"
      }
    }
    mutate {
      merge => { "$entity.asset.attribute.roles.name" => "asset_attribute_roles_name" }
    }
#about.asset.attribute.roles.name

  }

#  mutate { merge => {"aadcontext.idm.entity" => "$entity" } }
#  mutate { merge => { "@output" => "aadcontext"} }

  statedump {
    label => "Post Merge"
  }

}

I can’t figure out how to merge this though?

ield \"idm\": index 0: recursive rawDataToProto failed: field \"entity\": index 0: received non-map raw output for sub-message field"

JSpoorSonic · Answer

Figured this out.However is there away to append data? Rather than override?If I use below parser extension:# Azure AD Org Context Parser Extension# Author: J Spoor# Version: 1.0 WIP# Product: Azure AD Organizationnal Context# Supported Format: JSON# Last Updated: 2025-11-07filter {# Initializaation  mutate {    replace => {       "employee_type" => ""    }  }# End Initialization  json {    source => "message"    array_function => "split_columns"    on_error => "not_json"  }# entity.user.userid  mutate {    replace => {        "username" => "%{userPrincipalName}"    }    on_error => "no_upn"  }  if ![no_upn] {    mutate {      replace => {#        "aadcontext_event.idm.read_only_udm.principal.user.userid" => "%{username}"        "aad_user.userid" => "%{username}"      }    }  }# entity.user.attribute.roles[]  # Copied from Parser to fill index 0  if [userType] != "" {    mutate {      merge => {"aad_user.attribute.roles" => "user_role"}      replace => {"user_role.name" => "%{userType}"}    }  }  # End Copied from Parser  # Add extensstionattribute10 to index 1  mutate {    replace => {"employeetype" => "%{extension_29d326fe90944c75bdc8889fcfa9a2ea_extensionAttribute10}"}    on_error => "no_extenstionattribute10"  }  if ![no_extenstionattribute10] {    mutate {      merge => {"aad_user.attribute.roles" => "employee_type"}      replace => {"employee_type.name" => "%{employeetype}"}    }  }# End entity.user.attribute.roles[]  mutate {  # Option Rename#    rename => {"aad_user" => "aad_event.idm.entity.entity.user"}  # Option Copy, leaves original behind    copy => {"aad_event.idm.entity.entity.user" => "aad_user"}  }  mutate { merge => { "@output" => "aad_event"} }#  statedump {#    label => "Post Merge"#  }}it actually overwries user.attribute.roles, rather than append?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded