Thanks for replying @richgalloway , the events come from an anomaly detection system and look like this (raw) - I've had to redact it quite heavily, hopefully it will still be of some use: {"creationTime":...,"breachUrl":"https://.../.../...","commentCount":0,"pbid":1315000,"time":...,"model":{"name":"Compromise::Watched Domain","pid":11,"phid":8116,"uuid":"...","logic":{"data":[{"cid":14400,"weight":1},{"cid":14401,"weight":1},{"cid":14402,"weight":1},{"cid":14403,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"...":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["..."],"interval":3600,"sequenced":false,"active":true,"modified":"...","activeTimes":{"devices":{"93657":[{}],"2830":[{}],"636":[{}],"2957":[{}],"52344":[{}],"4329":[{}],"913":[{}],"44":[{}]},"tags":{},"type":"exclusions","version":2},"priority":5,"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"...","behaviour":"decreasing","defeats":[],"created":{"by":"..."},"edited":{"by":"...","userID"...},"version":24},"triggeredComponents":[{"time":...,"cbid":...,"cid":14400,"chid":25028,"size":1,"threshold":0,"interval":3600,"logic":{...}}}}},"version":"v..."},"metric":{"mlid":220,"name":"...","label":"Watched Domain"},"triggeredFilters":[{"cfid":111671,"id":"A","filterType":"Watched endpoint source","arguments":{"value":".+"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":111673,"id":"C","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":111675,"id":"E","filterType":"Internal source device type","arguments":{"value":"12"},"comparatorType":"is not","trigger":{"value":"Server"}},{"cfid":111676,"id":"d1","filterType":"Internal source device type","arguments":{},"comparatorType":"display","trigger":{"value":"Server"}},{"cfid":111677,"id":"d2","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111678,"id":"d3","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"1.2.3.4"}},{"cfid":111679,"id":"d4","filterType":"ASN","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111680,"id":"d5","filterType":"Country","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111681,"id":"d6","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"politicweekend.com"}},{"cfid":111682,"id":"d7","filterType":"Watched endpoint","arguments":{},"comparatorType":"display","trigger":{"value":"true"}},{"cfid":111683,"id":"d8","filterType":"Watched endpoint source","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"score":0.161,"device":{"did":74376,"ip":"5.6.7.8","ips":[{"ip":"5.6.7.8","timems":...,"time":"...","sid":512731}],"sid":512731,"firstSeen":...,"lastSeen":...,"devicelabel":"...","typename":"server","typelabel":"Server"}} There's nothing wrong with my inline search. I'm trying to make the events CIM-compliant and fields like dest are contained in this new_trig mv field that I've spath'd and then regex'd out. So I want the CIM fields to be present in the index so things like the Intrusion Detection data model can be populated for use by Enterprise Security. Also, the regex's will differ according to the detection model that has been breached, i.e. the actual destination for an event might be called something different in 'trigger_name' according to the model being breached.
... View more