Parser Issues when trying to access nested data

Hello,

I am trying to create an extension for the Defender for Endpoint parser because the current prebuilt does not include some additional fields that I need. But I am running into a very odd issue, I was attempting to use some of the prebuilt logic that was accessing the field but I am continually getting this error message - “No UDM events or entities were generated for the current parser configuration. If this is not intended, rectify the code snippet/UDM mappings and then click preview.”

Here is my current parser logic:

filter{
 mutate {
 replace => {
 "record_AdditionalFields" => "%{properties.AdditionalFields}"
 }
 }
 statedump{
 label => "start"
 }

 if [record_AdditionalFields] != "" {
 json {
 source => "record_AdditionalFields"
 target => "_AdditionalFields"
 array_function => "split_columns"
 on_error => "properties_additional_fields_is_object"
 }
 if ![properties_additional_fields_is_object] {
 for key, value in _AdditionalFields map {
 mutate {
 convert => {
 "value" => "string"
 }
 on_error => "additional_field_value_conversion_error"
 }

 if [key] == "DnsQueryType" {
 mutate {
 replace => {
 "network.dns.additional.type" => "%{value}"
 }
 }
 }
 mutate {
 merge => {
 "udm_event.idm.read_only_udm.additional.fields" => "dns_query_type"
 }
 }
 mutate {
 remove_field => ["dns_query_type"]
 }
 }
 }
 }
 statedump{
 label => "end"
 }

 mutate {
 merge => {
 "@output" => "udm_event"
 }
 on_error => "_"
 }
}

Here is the log that I am trying to validate against:

{
 "time": "2026-01-26T14:55:48.2596506Z",
 "tenantId": " [removed by moderator]  [removed by moderator] ",
 "operationName": "Publish",
 "category": "AdvancedHunting-DeviceEvents",
 "_TimeReceivedBySvc": "2026-01-26T14:54:09.7046051Z",
 "properties": {
 "DeviceId": " [removed by moderator] 0 [removed by moderator] 010",
 "DeviceName": "newdevice",
 "ReportId": 184155,
 "InitiatingProcessId": 2464,
 "InitiatingProcessCreationTime": "2026-01-16T01:52:46.7340349Z",
 "InitiatingProcessCommandLine": "svchost.exe -k NetworkService -p",
 "InitiatingProcessParentFileName": "services.exe",
 "InitiatingProcessParentId": 1308,
 "InitiatingProcessParentCreationTime": "2026-01-16T01:52:45.9827673Z",
 "InitiatingProcessSHA1": "2938ff787f23b6a706526bf852bb9bc147225a77",
 "InitiatingProcessMD5": "7b88d0896fbf43469a9959d59824a514",
 "InitiatingProcessFileName": "svchost.exe",
 "InitiatingProcessFolderPath": "c:\\windows\\system32\\svchost.exe",
 "InitiatingProcessAccountName": "network service",
 "InitiatingProcessAccountDomain": "nt authority",
 "SHA1": null,
 "MD5": null,
 "FileName": null,
 "FolderPath": null,
 "AccountName": null,
 "AccountDomain": null,
 "AdditionalFields": "{\"DnsQueryString\":\"www.clarity.ms\",\"DnsQueryResult\":[\"{\\\"DnsQueryType\\\":\\\"CNAME\\\",\\\"Result\\\":\\\"tm-clarity-tag.trafficmanager.net\\\"}\",\"{\\\"DnsQueryType\\\":\\\"CNAME\\\",\\\"Result\\\":\\\"vmss-clarity-tag-eus2.eastus2.cloudapp.azure.com\\\"}\",\"{\\\"DnsQueryType\\\":\\\"SOA\\\",\\\"Result\\\":\\\"ns1-06.azure-dns.com\\\"}\"],\"ClientProcessName\":\"NisSrv.exe\",\"ClientProcessId\":\"10452\"}",
 "InitiatingProcessAccountSid": "S-1-5-20",
 "AppGuardContainerId": "",
 "InitiatingProcessSHA256": "53a39b900e3bfbf384acd13f0fc2329fa8d42b61e993d8ed5adf3a1428005d26",
 "SHA256": null,
 "RemoteUrl": null,
 "ProcessCreationTime": null,
 "ProcessTokenElevation": null,
 "ActionType": "DnsQueryResponse",
 "FileOriginUrl": null,
 "FileOriginIP": null,
 "InitiatingProcessLogonId": 0,
 "AccountSid": null,
 "RemoteDeviceName": null,
 "RegistryKey": null,
 "RegistryValueName": null,
 "RegistryValueData": null,
 "LogonId": null,
 "LocalIP": null,
 "LocalPort": null,
 "RemoteIP": null,
 "RemotePort": null,
 "ProcessId": null,
 "ProcessCommandLine": null,
 "InitiatingProcessAccountUpn": null,
 "InitiatingProcessAccountObjectId": null,
 "FileSize": null,
 "InitiatingProcessFileSize": 88232,
 "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
 "InitiatingProcessVersionInfoProductName": "Microsoft® Windows® Operating System",
 "InitiatingProcessVersionInfoProductVersion": "10.0.26100.5074",
 "InitiatingProcessVersionInfoInternalFileName": "svchost.exe",
 "InitiatingProcessVersionInfoOriginalFileName": "svchost.exe",
 "InitiatingProcessVersionInfoFileDescription": "Host Process for Windows Services",
 "InitiatingProcessSessionId": 0,
 "IsInitiatingProcessRemoteSession": false,
 "InitiatingProcessRemoteSessionDeviceName": null,
 "InitiatingProcessRemoteSessionIP": null,
 "CreatedProcessSessionId": null,
 "IsProcessRemoteSession": false,
 "ProcessRemoteSessionDeviceName": null,
 "ProcessRemoteSessionIP": null,
 "InitiatingProcessUniqueId": " [removed by moderator] ",
 "Timestamp": "2026-01-26T14:51:59.2103101Z",
 "MachineGroup": "UnassignedGroup"
 },
 "Tenant": "DefaultTenant"
}

Any help is much appreciated, I have never ran into that message before when attempting to build a parser and anything that I try it just keep popping up with the same message.

Thanks!