@spinscale Thanks for your response. For the sake of closing this and not have a Wisdom of the Ancients moment, this script I wrote does what I need. It should be fairly easy to extend to solve any need similar to mine.
ArrayList makeEvents(def fields, def hits) {
ArrayList events = new ArrayList();
for (hit in hits) {
Map newHit = new HashMap();
for (field in fields) {
newHit[field] = hit._source[field];
}
events.add(newHit)
}
return events;
}
Map alert = new HashMap();
alert['description'] = ctx.metadata.description ?: 'No Description';
alert['name'] = ctx.metadata.name ?: 'No Name';
alert['type'] = params.type ?: 'Generic';
alert['severity'] = params.severity ?: 'Low';
alert['timestamp'] = ctx.execution_time;
alert['totalhits'] = ctx.payload.hits.total;
alert['events'] = makeEvents(params.fields, ctx.payload.hits.hits);
return alert;
And it is invoked like this
"actions": {
"index_events": {
"transform": {
"script": {
"stored": "makealert",
"params": {
"fields": [
"@timestamp",
"src",
"dst",
"dpt",
"act"
],
"type": "Firewall"
}
}
},
"index": {
"index": "events",
"doc_type": "event"
}
}
}
You can provide an arbitrary list of fields to extract and some metadata about the event and it will index that new data in the events index. An example of the indexed event would be like:
{
"_index": "events",
"_type": "event",
"_id": "AV7OKPeImBrfvrPn9sDU",
"_score": 1,
"_source": {
"totalhits": 92,
"name": "Watching External DNS Servers",
"description": "Watching for when clients attempt to use Google DNS for resolution",
"type": "Firewall",
"severity": "Low",
"events": [{
"@timestamp": "2017-09-29T15:02:06.141Z",
"act": "denied",
"hitCount": "1",
"dst": "8.8.8.8",
"src": "1.2.3.4",
"dpt": "53"
},
{
"@timestamp": "2017-09-29T15:02:04.250Z",
"act": "denied",
"hitCount": "1",
"dst": "8.8.8.8",
"src": "1.2.3.4",
"dpt": "53"
}
],
"timestamp": "2017-09-29T15:02:23.560Z"
}
}