The field labels is of type object in the ECS and since we have dynamic: false in the AAD index mapping, the subfields of labels are not added to the mapping. As a result, we are not able to use subfields of labels to filter alerts or correlate alerts.

We experimented with the type and found that using flattened might be more suitable for this use case. With flattened type, we are able to query data with subfields. However, changing to flattened will make labels field non ECS compliant.

Our goal is to be able to search alerts using labels e.g. labels.eventId or labels.groupId.

The search query below works with subfields when the type of the field is flattened. The same does not work with object type.

PUT /test
{
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "dynamic": false,
    "properties": {
      "field1": { "type": "flattened" }
    }
  }
}

PUT /test/_doc/1
{
  "field1": {
    "subfield1": "foo"
  }
}

POST test/_search
{
  "query": {
    "match_phrase": {
      "field1.subfield1": "foo"
    }
  }
}