Return nested fields from query using source filter

I am trying to query my signals indices in Elastic and I would like the results to return only the fields that I am interested and my current challenge is that some of the fields are nested. I have tried various methods of writing my query but it either returns some fields or no fields at all.

I am using the source filter option that I have found on the internet and this works for the fields that are not nested. Could someone please assist me with correct way of writing my query statement?

My ultimate goal is to pass some of the data from an Alert into an external system that will create a case based on the alert details.

I have also noticed that my returned results contain a key _source which has a nested key, value pair of message so that is why the query sometimes returns results and other times it does not.

Here is a sample of of my get request, I am testing using Postman API and I have the following GET request*

         "_source": ["message", "ip"],
        "query": {
            "range" : {
                "@timestamp": {
                    "gte": "2020-06-22"

Below is a sample of the results being returned.

     "index": [
              "interval": "5m",
              "language": "kuery",
              "name": "Remote Logins via RDP",
              "query": "winlog.event_data.LogonType : \"3\" and event.type: \"authentication_success\"  and host.hostname :\"testbox\"  ",
              "references": [],
              "severity": "critical",
              "tags": [],
              "type": "query",
              "to": "now",
              "enabled": true,
              "filters": [],
              "created_by": "some_user",
              "updated_by": "some_user",
              "threat": [],
              "version": 1,
              "created_at": "2020-06-09T14:18:39.289Z",
              "updated_at": "2020-06-09T14:18:40.327Z"
            "original_event": {
              "provider": "Microsoft-Windows-Security-Auditing",
              "created": "2020-06-10T00:34:46.584Z",
              "module": "security",
              "outcome": "success",
              "type": "authentication_success",
              "code": 4624,
              "action": "logged-in",
              "category": "authentication",
              "kind": "event"

I have managed to find a solution to my post, I did an investigation of the fields that are being returned in my alert and then updated my query to this below.

    "_source": ["message", "event.action", "signal.rule.description", "event.category", "@timestamp"],
    "query": {
         "match_all": {}

Now I can access the fields that I am after. So for the nested fields I can access the value by using eg. event.type

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.