Internal and external customers have asked for the ability to:

• interact with alert queries
• transform the results of the queries (e.g. with painless)
• log query results

This is frequently discussed in the context of the search query. Example use cases:

• Transform query results in order to populate action parameters as they need. I am linking a related enhancement request below, as well as internal requirements (Infra team).
• Setting up a dynamic condition. For example set up a dynamic threshold of the type trigger if the aggregation of the metric within the set window is X times greater than that of the previous window.
• More generally this would help migrating from Watcher (which offers ways to interact with the alert payload) customers who use watches that cannot currently be met with Kibana alerting.
• An additional use case involves logging the query results for audit purposes. However there is perhaps a better path for this use case, one involving the new Kibana audit logging (which provides with a trace ID that allows users to link Kibana with ES audit logs) and an enhancement request for ES audit logs. The combination would allow users to audit alert queries and their results.