Is there a possibility of extracting all the raw documents of elasticsearch with respect to SIEM events . For example if we have rule name : [Unusual Login Activity] and we have enabled this particular out of the box rule in SIEM app and if we are able to see all the related events in the SIEM app and we could use timeline app for threat hunting (its wonderful place to play with security events and for correlation) but my question is it possible to extract dynamically those security events to external source may be email or any other third party destination (for log analysis).
For e.g if we have a third party Cyber security consultants who want to review the logs without logging in to kibana. Lets say if we have 400 security events related to this rule in last 24 hrs. How to extract all these 400 events out of elasticsearch ?
Apart from this I know we have alerting feature to get the overview or insights of the incident but i would like to extract all the 400 events out of elasticsearch dynamically (if that incident occurs )
Please do suggest any ideas.