Create rule with data from multiple documents

Hi forum,

I am trying to setup an alert/rule with audit data from Confluent Cloud.
When I invite a user into the organization the following among others are generated and visible in Kibana under discover.

{
  "_index": "kafka-audit-2022.04.20",
  "_type": "_doc",
  "_id": "fEGMSIABmHV0cT-yE9ot",
  "_version": 1,
  "_score": 1,
  "_source": {
    "source": "crn://confluent.cloud/",
    "type": "io.confluent.cloud/request",
    "specversion": "1.0",
    "data": {
      "result": {
        "status": "SUCCESS",
        "data": {
          "api_version": "v2",
          "send_invitation": true,
          "kind": "UserInvitation",
          "user": {
            "api_version": "v2",
            "email": "ext.frede.hansen@dummymail.vombat",
            "id": "u-xqp96k",
            "kind": "User"
          },
          "metadata": {
            "self": "",
            "resource_name": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
          }
        }
      },
      "request": {
        "accessType": "MODIFICATION",
        "data": {
          "api_version": "v2",
          "send_invitation": true,
          "kind": "UserInvitation",
          "user": {
            "api_version": "v2",
            "email": "ext.frede.hansen@dummymail.vombat",
            "kind": "User"
          },
          "metadata": {
            "self": "",
            "resource_name": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=*"
          }
        }
      },
      "requestMetadata": {
        "requestId": [
          "c81157aa5b6e446333af97384334bdba"
        ],
        "clientAddress": [
          {
            "ip": "193.162.26.14"
          }
        ]
      },
      "temp": {
        "email": "xxx.yyy@zzz.com",
        "confluentUser": {
          "resourceId": "u-mvy32w"
        }
      },
      "cloudResources": [
        {
          "scope": {
            "resources": [
              {
                "resourceId": "63063aee-791f-4a10-881d-8c98506df535",
                "type": "ORGANIZATION"
              }
            ]
          },
          "resource": {
            "resourceId": "i-8wjn5",
            "type": "USER_INVITATION"
          }
        }
      ],
      "resourceName": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5",
      "serviceName": "crn://confluent.cloud/",
      "methodName": "InviteUser",
      "authenticationInfo": {
        "result": "SUCCESS"
      }
    },
    "time": "2022-04-20T19:56:20.775Z",
    "subject": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5",
    "datacontenttype": "application/json",
    "id": "24ca7045-f5e9-4904-83ab-6b9e2639715c",
    "@version": "1",
    "@timestamp": "2022-04-20T19:56:21.061Z"
  },
  "fields": {
    "data.requestMetadata.requestId": [
      "c81157aa5b6e446333af97384334bdba"
    ],
    "data.temp.email.keyword": [
      "xxx.yyy@zzz.com"
    ],
    "datacontenttype": [
      "application/json"
    ],
    "data.request.data.metadata.self.keyword": [
      ""
    ],
    "subject": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "data.result.data.metadata.self": [
      ""
    ],
    "data.result.data.kind": [
      "UserInvitation"
    ],
    "source": [
      "crn://confluent.cloud/"
    ],
    "type": [
      "io.confluent.cloud/request"
    ],
    "datacontenttype.keyword": [
      "application/json"
    ],
    "data.result.data.metadata.resource_name.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "data.request.data.user.email.keyword": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.request.accessType": [
      "MODIFICATION"
    ],
    "subject.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "type.keyword": [
      "io.confluent.cloud/request"
    ],
    "data.cloudResources.scope.resources.type": [
      "ORGANIZATION"
    ],
    "data.cloudResources.resource.type": [
      "USER_INVITATION"
    ],
    "id": [
      "24ca7045-f5e9-4904-83ab-6b9e2639715c"
    ],
    "data.request.data.send_invitation": [
      true
    ],
    "data.result.status": [
      "SUCCESS"
    ],
    "data.cloudResources.scope.resources.resourceId.keyword": [
      "63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.request.data.metadata.resource_name.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=*"
    ],
    "data.result.data.user.kind.keyword": [
      "User"
    ],
    "data.result.data.metadata.resource_name": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "data.resourceName.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "data.serviceName": [
      "crn://confluent.cloud/"
    ],
    "@version.keyword": [
      "1"
    ],
    "data.result.data.user.id.keyword": [
      "u-xqp96k"
    ],
    "data.cloudResources.resource.type.keyword": [
      "USER_INVITATION"
    ],
    "data.requestMetadata.requestId.keyword": [
      "c81157aa5b6e446333af97384334bdba"
    ],
    "data.temp.confluentUser.resourceId.keyword": [
      "u-mvy32w"
    ],
    "data.methodName.keyword": [
      "InviteUser"
    ],
    "data.request.data.user.kind": [
      "User"
    ],
    "data.request.data.metadata.self": [
      ""
    ],
    "data.request.data.api_version.keyword": [
      "v2"
    ],
    "specversion.keyword": [
      "1.0"
    ],
    "data.result.data.user.api_version": [
      "v2"
    ],
    "data.result.data.user.id": [
      "u-xqp96k"
    ],
    "data.methodName": [
      "InviteUser"
    ],
    "data.result.data.user.api_version.keyword": [
      "v2"
    ],
    "data.request.data.kind.keyword": [
      "UserInvitation"
    ],
    "data.authenticationInfo.result.keyword": [
      "SUCCESS"
    ],
    "data.requestMetadata.clientAddress.ip": [
      "193.162.26.14"
    ],
    "data.authenticationInfo.result": [
      "SUCCESS"
    ],
    "data.resourceName": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=i-8wjn5"
    ],
    "data.temp.confluentUser.resourceId": [
      "u-mvy32w"
    ],
    "id.keyword": [
      "24ca7045-f5e9-4904-83ab-6b9e2639715c"
    ],
    "data.request.data.user.api_version.keyword": [
      "v2"
    ],
    "@version": [
      "1"
    ],
    "specversion": [
      "1.0"
    ],
    "data.result.status.keyword": [
      "SUCCESS"
    ],
    "data.request.data.api_version": [
      "v2"
    ],
    "data.request.data.kind": [
      "UserInvitation"
    ],
    "data.requestMetadata.clientAddress.ip.keyword": [
      "193.162.26.14"
    ],
    "source.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.result.data.api_version": [
      "v2"
    ],
    "data.cloudResources.resource.resourceId.keyword": [
      "i-8wjn5"
    ],
    "data.temp.email": [
      "xxx.yyy@zzz.com"
    ],
    "data.request.data.user.kind.keyword": [
      "User"
    ],
    "data.result.data.metadata.self.keyword": [
      ""
    ],
    "data.result.data.user.email.keyword": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.request.data.metadata.resource_name": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user-invitation=*"
    ],
    "data.request.data.user.api_version": [
      "v2"
    ],
    "data.result.data.send_invitation": [
      true
    ],
    "data.request.accessType.keyword": [
      "MODIFICATION"
    ],
    "@timestamp": [
      "2022-04-20T19:56:21.061Z"
    ],
    "data.cloudResources.scope.resources.resourceId": [
      "63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.serviceName.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.request.data.user.email": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.result.data.user.email": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.result.data.kind.keyword": [
      "UserInvitation"
    ],
    "time": [
      "2022-04-20T19:56:20.775Z"
    ],
    "data.result.data.user.kind": [
      "User"
    ],
    "data.result.data.api_version.keyword": [
      "v2"
    ],
    "data.cloudResources.scope.resources.type.keyword": [
      "ORGANIZATION"
    ],
    "data.cloudResources.resource.resourceId": [
      "i-8wjn5"
    ]
  }
}

{
  "_index": "kafka-audit-2022.04.20",
  "_type": "_doc",
  "_id": "fUGMSIABmHV0cT-yE9rO",
  "_version": 1,
  "_score": 1,
  "_source": {
    "source": "crn://confluent.cloud/",
    "type": "io.confluent.cloud/request",
    "specversion": "1.0",
    "data": {
      "result": {
        "status": "SUCCESS",
        "data": {
          "email": "ext.frede.hansen@dummymail.vombat",
          "api_version": "iam/v2",
          "kind": "User",
          "metadata": {
            "updated_at": "2022-04-20T19:56:20.543205Z",
            "self": "https://api.confluent.cloud/iam/v2/users/u-xqp96k",
            "created_at": "2022-04-20T19:56:20.543205Z",
            "resource_name": "crn://confluent.cloud/user=u-xqp96k"
          },
          "full_name": "",
          "id": "u-xqp96k"
        }
      },
      "request": {
        "accessType": "MODIFICATION",
        "data": {
          "api_version": "iam/v2",
          "email": "ext.frede.hansen@dummymail.vombat",
          "full_name": "",
          "kind": "User"
        }
      },
      "requestMetadata": {
        "requestId": [
          "c81157aa5b6e446333af97384334bdba"
        ]
      },
      "temp": {
        "confluentUser": {
          "resourceId": "u-mvy32w"
        }
      },
      "cloudResources": [
        {
          "scope": {
            "resources": [
              {
                "resourceId": "63063aee-791f-4a10-881d-8c98506df535",
                "type": "ORGANIZATION"
              }
            ]
          },
          "resource": {
            "resourceId": "u-xqp96k",
            "type": "USER"
          }
        }
      ],
      "resourceName": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
      "serviceName": "crn://confluent.cloud/",
      "methodName": "CreateUser",
      "authenticationInfo": {
        "result": "SUCCESS"
      }
    },
    "time": "2022-04-20T19:56:20.568Z",
    "subject": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
    "datacontenttype": "application/json",
    "id": "a4dbb0f9-eeed-4914-912d-c85f63c08e5b",
    "@version": "1",
    "@timestamp": "2022-04-20T19:56:21.223Z"
  },
  "fields": {
    "data.requestMetadata.requestId": [
      "c81157aa5b6e446333af97384334bdba"
    ],
    "datacontenttype": [
      "application/json"
    ],
    "data.result.data.metadata.updated_at": [
      "2022-04-20T19:56:20.543Z"
    ],
    "data.result.data.full_name.keyword": [
      ""
    ],
    "subject": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.result.data.metadata.self": [
      "https://api.confluent.cloud/iam/v2/users/u-xqp96k"
    ],
    "data.result.data.metadata.created_at": [
      "2022-04-20T19:56:20.543Z"
    ],
    "data.result.data.kind": [
      "User"
    ],
    "data.result.data.email.keyword": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "source": [
      "crn://confluent.cloud/"
    ],
    "type": [
      "io.confluent.cloud/request"
    ],
    "datacontenttype.keyword": [
      "application/json"
    ],
    "data.result.data.metadata.resource_name.keyword": [
      "crn://confluent.cloud/user=u-xqp96k"
    ],
    "data.result.data.id": [
      "u-xqp96k"
    ],
    "data.request.data.email.keyword": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.request.accessType": [
      "MODIFICATION"
    ],
    "subject.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "type.keyword": [
      "io.confluent.cloud/request"
    ],
    "data.cloudResources.scope.resources.type": [
      "ORGANIZATION"
    ],
    "data.result.data.full_name": [
      ""
    ],
    "data.cloudResources.resource.type": [
      "USER"
    ],
    "data.request.data.full_name.keyword": [
      ""
    ],
    "id": [
      "a4dbb0f9-eeed-4914-912d-c85f63c08e5b"
    ],
    "data.result.status": [
      "SUCCESS"
    ],
    "data.cloudResources.scope.resources.resourceId.keyword": [
      "63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.result.data.metadata.resource_name": [
      "crn://confluent.cloud/user=u-xqp96k"
    ],
    "data.resourceName.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.serviceName": [
      "crn://confluent.cloud/"
    ],
    "@version.keyword": [
      "1"
    ],
    "data.cloudResources.resource.type.keyword": [
      "USER"
    ],
    "data.requestMetadata.requestId.keyword": [
      "c81157aa5b6e446333af97384334bdba"
    ],
    "data.result.data.id.keyword": [
      "u-xqp96k"
    ],
    "data.temp.confluentUser.resourceId.keyword": [
      "u-mvy32w"
    ],
    "data.methodName.keyword": [
      "CreateUser"
    ],
    "data.request.data.api_version.keyword": [
      "iam/v2"
    ],
    "specversion.keyword": [
      "1.0"
    ],
    "data.methodName": [
      "CreateUser"
    ],
    "data.request.data.kind.keyword": [
      "User"
    ],
    "data.authenticationInfo.result.keyword": [
      "SUCCESS"
    ],
    "data.authenticationInfo.result": [
      "SUCCESS"
    ],
    "data.resourceName": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.temp.confluentUser.resourceId": [
      "u-mvy32w"
    ],
    "data.request.data.email": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "id.keyword": [
      "a4dbb0f9-eeed-4914-912d-c85f63c08e5b"
    ],
    "@version": [
      "1"
    ],
    "specversion": [
      "1.0"
    ],
    "data.result.status.keyword": [
      "SUCCESS"
    ],
    "data.request.data.full_name": [
      ""
    ],
    "data.request.data.api_version": [
      "iam/v2"
    ],
    "data.request.data.kind": [
      "User"
    ],
    "source.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.result.data.api_version": [
      "iam/v2"
    ],
    "data.cloudResources.resource.resourceId.keyword": [
      "u-xqp96k"
    ],
    "data.result.data.metadata.self.keyword": [
      "https://api.confluent.cloud/iam/v2/users/u-xqp96k"
    ],
    "data.result.data.email": [
      "ext.frede.hansen@dummymail.vombat"
    ],
    "data.request.accessType.keyword": [
      "MODIFICATION"
    ],
    "@timestamp": [
      "2022-04-20T19:56:21.223Z"
    ],
    "data.cloudResources.scope.resources.resourceId": [
      "63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.serviceName.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.result.data.kind.keyword": [
      "User"
    ],
    "time": [
      "2022-04-20T19:56:20.568Z"
    ],
    "data.result.data.api_version.keyword": [
      "iam/v2"
    ],
    "data.cloudResources.scope.resources.type.keyword": [
      "ORGANIZATION"
    ],
    "data.cloudResources.resource.resourceId": [
      "u-xqp96k"
    ]
  }
}

{
  "_index": "kafka-audit-2022.04.20",
  "_type": "_doc",
  "_id": "LY-MSIABnd8NfSpePGk9",
  "_version": 1,
  "_score": 1,
  "_source": {
    "source": "crn://confluent.cloud/",
    "type": "io.confluent.kafka.server/authorization",
    "specversion": "1.0",
    "data": {
      "request": {
        "correlation_id": "-1"
      },
      "requestMetadata": {},
      "resourceName": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
      "serviceName": "crn://confluent.cloud/",
      "authorizationInfo": {
        "operation": "Describe",
        "patternType": "LITERAL",
        "rbacAuthorization": {
          "role": "OrganizationAdmin",
          "scope": {
            "outerScope": [
              "organization=63063aee-791f-4a10-881d-8c98506df535"
            ]
          }
        },
        "granted": true,
        "resourceType": "User",
        "resourceName": "u-xqp96k"
      },
      "methodName": "mds.Authorize",
      "authenticationInfo": {
        "principal": "User:u-mvy32w"
      }
    },
    "time": "2022-04-20T19:56:30.418Z",
    "subject": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
    "datacontenttype": "application/json",
    "id": "cbfe15bb-9af9-4186-b77f-53d5247abde3",
    "@version": "1",
    "@timestamp": "2022-04-20T19:56:31.574Z"
  },
  "fields": {
    "datacontenttype": [
      "application/json"
    ],
    "data.request.correlation_id": [
      "-1"
    ],
    "subject": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.authenticationInfo.principal": [
      "User:u-mvy32w"
    ],
    "data.request.correlation_id.keyword": [
      "-1"
    ],
    "data.authorizationInfo.rbacAuthorization.role": [
      "OrganizationAdmin"
    ],
    "data.resourceName": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.authorizationInfo.operation.keyword": [
      "Describe"
    ],
    "source": [
      "crn://confluent.cloud/"
    ],
    "type": [
      "io.confluent.kafka.server/authorization"
    ],
    "datacontenttype.keyword": [
      "application/json"
    ],
    "data.authorizationInfo.rbacAuthorization.scope.outerScope": [
      "organization=63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.authorizationInfo.patternType": [
      "LITERAL"
    ],
    "data.authorizationInfo.granted": [
      true
    ],
    "id.keyword": [
      "cbfe15bb-9af9-4186-b77f-53d5247abde3"
    ],
    "subject.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "type.keyword": [
      "io.confluent.kafka.server/authorization"
    ],
    "@version": [
      "1"
    ],
    "data.authorizationInfo.rbacAuthorization.scope.outerScope.keyword": [
      "organization=63063aee-791f-4a10-881d-8c98506df535"
    ],
    "specversion": [
      "1.0"
    ],
    "id": [
      "cbfe15bb-9af9-4186-b77f-53d5247abde3"
    ],
    "data.authorizationInfo.resourceType": [
      "User"
    ],
    "source.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.authorizationInfo.resourceName.keyword": [
      "u-xqp96k"
    ],
    "data.resourceName.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.serviceName": [
      "crn://confluent.cloud/"
    ],
    "data.authorizationInfo.rbacAuthorization.role.keyword": [
      "OrganizationAdmin"
    ],
    "@version.keyword": [
      "1"
    ],
    "data.authorizationInfo.resourceName": [
      "u-xqp96k"
    ],
    "data.authenticationInfo.principal.keyword": [
      "User:u-mvy32w"
    ],
    "data.methodName.keyword": [
      "mds.Authorize"
    ],
    "@timestamp": [
      "2022-04-20T19:56:31.574Z"
    ],
    "specversion.keyword": [
      "1.0"
    ],
    "data.authorizationInfo.resourceType.keyword": [
      "User"
    ],
    "data.authorizationInfo.patternType.keyword": [
      "LITERAL"
    ],
    "data.serviceName.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.methodName": [
      "mds.Authorize"
    ],
    "time": [
      "2022-04-20T19:56:30.418Z"
    ],
    "data.authorizationInfo.operation": [
      "Describe"
    ]
  }
}

{
  "_index": "kafka-audit-2022.04.20",
  "_type": "_doc",
  "_id": "KUGMSIABmHV0cT-yINw1",
  "_version": 1,
  "_score": 1,
  "_source": {
    "source": "crn://confluent.cloud/",
    "type": "io.confluent.kafka.server/authorization",
    "specversion": "1.0",
    "data": {
      "request": {
        "correlation_id": "-1"
      },
      "requestMetadata": {
        "request_id": "11b097893837c4cb393b7b29dc62b655"
      },
      "resourceName": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
      "serviceName": "crn://confluent.cloud/",
      "authorizationInfo": {
        "operation": "Describe",
        "patternType": "LITERAL",
        "rbacAuthorization": {
          "role": "OrganizationAdmin",
          "scope": {
            "outerScope": [
              "organization=63063aee-791f-4a10-881d-8c98506df535"
            ]
          }
        },
        "granted": true,
        "resourceType": "User",
        "resourceName": "u-xqp96k"
      },
      "methodName": "mds.Authorize",
      "authenticationInfo": {
        "principal": "User:u-mvy32w"
      }
    },
    "time": "2022-04-20T19:56:22.667Z",
    "subject": "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k",
    "datacontenttype": "application/json",
    "id": "12037025-886b-4013-8274-f4860662fb4d",
    "@version": "1",
    "@timestamp": "2022-04-20T19:56:24.393Z"
  },
  "fields": {
    "datacontenttype": [
      "application/json"
    ],
    "data.request.correlation_id": [
      "-1"
    ],
    "data.requestMetadata.request_id": [
      "11b097893837c4cb393b7b29dc62b655"
    ],
    "subject": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.authenticationInfo.principal": [
      "User:u-mvy32w"
    ],
    "data.request.correlation_id.keyword": [
      "-1"
    ],
    "data.authorizationInfo.rbacAuthorization.role": [
      "OrganizationAdmin"
    ],
    "data.resourceName": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.authorizationInfo.operation.keyword": [
      "Describe"
    ],
    "source": [
      "crn://confluent.cloud/"
    ],
    "type": [
      "io.confluent.kafka.server/authorization"
    ],
    "datacontenttype.keyword": [
      "application/json"
    ],
    "data.authorizationInfo.rbacAuthorization.scope.outerScope": [
      "organization=63063aee-791f-4a10-881d-8c98506df535"
    ],
    "data.requestMetadata.request_id.keyword": [
      "11b097893837c4cb393b7b29dc62b655"
    ],
    "data.authorizationInfo.patternType": [
      "LITERAL"
    ],
    "data.authorizationInfo.granted": [
      true
    ],
    "id.keyword": [
      "12037025-886b-4013-8274-f4860662fb4d"
    ],
    "subject.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "type.keyword": [
      "io.confluent.kafka.server/authorization"
    ],
    "@version": [
      "1"
    ],
    "data.authorizationInfo.rbacAuthorization.scope.outerScope.keyword": [
      "organization=63063aee-791f-4a10-881d-8c98506df535"
    ],
    "specversion": [
      "1.0"
    ],
    "id": [
      "12037025-886b-4013-8274-f4860662fb4d"
    ],
    "data.authorizationInfo.resourceType": [
      "User"
    ],
    "source.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.authorizationInfo.resourceName.keyword": [
      "u-xqp96k"
    ],
    "data.resourceName.keyword": [
      "crn://confluent.cloud/organization=63063aee-791f-4a10-881d-8c98506df535/user=u-xqp96k"
    ],
    "data.serviceName": [
      "crn://confluent.cloud/"
    ],
    "data.authorizationInfo.rbacAuthorization.role.keyword": [
      "OrganizationAdmin"
    ],
    "@version.keyword": [
      "1"
    ],
    "data.authorizationInfo.resourceName": [
      "u-xqp96k"
    ],
    "data.authenticationInfo.principal.keyword": [
      "User:u-mvy32w"
    ],
    "data.methodName.keyword": [
      "mds.Authorize"
    ],
    "@timestamp": [
      "2022-04-20T19:56:24.393Z"
    ],
    "specversion.keyword": [
      "1.0"
    ],
    "data.authorizationInfo.resourceType.keyword": [
      "User"
    ],
    "data.authorizationInfo.patternType.keyword": [
      "LITERAL"
    ],
    "data.serviceName.keyword": [
      "crn://confluent.cloud/"
    ],
    "data.methodName": [
      "mds.Authorize"
    ],
    "time": [
      "2022-04-20T19:56:22.667Z"
    ],
    "data.authorizationInfo.operation": [
      "Describe"
    ]
  }
}

Sorry about the super long and not very readable json, but i could not figure out how to copy clipboard with the table layout.

Right,
If i create a rule in the Rules and Connectors section i can get alerted when for example the field
data.methodName: "InviteUser" exits with given thresholds.

But i can for the life of me not figure out how to create a rule that also checks on what rbac role is assigned.
In the above JSON the dummy user I invited has the role of OrganizationAdmin, that and other roles would be nice to include in the alert.

Can someone here perhaps poke me in the right direction on how i could construct such a rule.
And as added bonus, it would also be nice with some pointers on how to actually display the actual event with username/emailaddress and such in the mail sent when the rule fires.

Thanks in advance.

Best regards

Oelsner

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.