[8.19] [ResponseOps] Cases analytics index (#223405) (#225019)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[ResponseOps] Cases analytics index
(#223405)](#223405)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT
[{"author":{"name":"Antonio","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-24T06:46:32Z","message":"[ResponseOps]
Cases analytics index (#223405)\n\nThis PR is for a feature branch that
is being merged into main.\n\nThe relevant PRs are:\n-
https://github.com/elastic/kibana/pull/219211\n-
https://github.com/elastic/kibana/pull/222820\n-
https://github.com/elastic/kibana/pull/223241\n-
https://github.com/elastic/kibana/pull/224388\n-
https://github.com/elastic/kibana/pull/224682\n\n## Summary\n\nThis PR
adds 4 new indexes with case analytics data, which are created\nwhen the
cases plugin starts.\n\n - `.internal.cases`\n -
`.internal.cases-comments`\n - `.internal.cases-attachments`\n -
`.internal.cases-activity`\n\nAfter the indexes are created, a backfill
task for each of them is\nscheduled to run 1 minute after creation. This
task populates the\nindexes with relevant data from
`.kibana_alerting_cases`.\n\nA second type of task is registered, the
index synchronization task.\nFour of these tasks, one for each index,
are scheduled to run every 5\nminutes. The synchronization tasks
populated the indexes with data from\n`.kibana_alerting_cases` that was
created or updated in the last five\nminutes.\n\n## How to test\n\nYou
might want to start Kibana with `--verbose` to see relevant
index\nmessages in the console.\n\nAlternatively(what I normally do), is
go to `analytics_index.ts`,\n`backfill_task_runner.ts`, and
`synchronization_task_runner.ts`, and\nchange the `logDebug` function to
call `this.logger.info` instead. This\nway, you will have less spam in
the console.\n\nEvery log message starts with the index name between
square brackets, so\nyou can look for `[.internal.cases-` and follow
what is happening.\n\n1. You should have some existing case data, so
before anything else,\nplease create some activity, attachments,
etc.\n2. Add `xpack.cases.analytics.index.enabled: true` to
`kibana.dev.yml`\nand restart Kibana.\n3. Check out
[this\nbranch](elastic/elasticsearch#129414)
from the\nES project.\n4. Start Elastic Search with `yarn es source`.
This will use the above\nversion of Elasticsearch.\n5. Wait a bit for
the indexes to be created and populated(backfilled).\n6. Using the dev
tools:\n - Confirm the indexes exist.\n- Check the index mapping. Does
it match the one in the code? Is the\n`_meta` field
correct?\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/mappings.ts`\n
- Check that the painless scripts match the
code.\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/painless_scripts.ts`\n-
Confirm your existing case data is in the indexes. (See
**Queries**\nsection below.)\n7. Play around with cases. Some
examples:\n - Create a case\n - Change status/severity\n - Attach
alerts\n - Add files\n - Change category/tags\n - Add comments\n -
etc\n8. Go to the dev tools again and confirm all this shows up in
the\nrelevant indexes. (See **Queries** section below.)\n\n##
Queries\n\nIn addition to the ones, below I have a few more. Things like
reindexing\nwith specific scripts or fetching relevant data
from\n`.kibana_alerting_cases`. Ping me if you want those
queries.\n\n### Checking index content\n```\nGET
/.internal.cases/_search\nGET /.internal.cases-comments/_search\nGET
/.internal.cases-attachments/_search\nGET
/.internal.cases-activity/_search\n```\n\n### Checking index
mappings\n```\nGET /.internal.cases\nGET /.internal.cases-comments\nGET
/.internal.cases-attachments\nGET /.internal.cases-activity\n```\n\n###
Fetching the painless scripts\n```\nGET
/_scripts/cai_cases_script_1\nGET
/_scripts/cai_attachments_script_1\nGET
/_scripts/cai_comments_script_1\nGET
/_scripts/cai_activity_script_1\n```\n\n### Emptying the indexes\n\nIt
is sometimes useful for testing.\n```\nPOST
/.internal.cases/_delete_by_query\nPOST
/.internal.cases-comments/_delete_by_query\nPOST
/.internal.cases-attachments/_delete_by_query\nPOST
/.internal.cases-activity/_delete_by_query\n```\n\n### Deleting the
indexes\n\nIt is sometimes useful for testing.\n```\nDELETE
/.internal.cases\nDELETE /.internal.cases-comments\nDELETE
/.internal.cases-attachments\nDELETE
/.internal.cases-activity\n```\n\n## Release notes\n\nFour dedicated
case analytics indexes were created, allowing users to\nbuild dashboards
and metrics over case data. These indexes are created\non Kibana startup
and updated periodically with cases, comments,\nattachments, and
activity data.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>\nCo-authored-by: Christos
Nasikas
<[email protected]>","sha":"e566fec14b824f2e3c28a16dbfbcfa622b721b4a","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:ResponseOps","Feature:Cases","release_note:feature","ci:cloud-deploy","backport:version","v9.1.0","v8.19.0"],"title":"[ResponseOps]
Cases analytics
index","number":223405,"url":"https://github.com/elastic/kibana/pull/223405","mergeCommit":{"message":"[ResponseOps]
Cases analytics index (#223405)\n\nThis PR is for a feature branch that
is being merged into main.\n\nThe relevant PRs are:\n-
https://github.com/elastic/kibana/pull/219211\n-
https://github.com/elastic/kibana/pull/222820\n-
https://github.com/elastic/kibana/pull/223241\n-
https://github.com/elastic/kibana/pull/224388\n-
https://github.com/elastic/kibana/pull/224682\n\n## Summary\n\nThis PR
adds 4 new indexes with case analytics data, which are created\nwhen the
cases plugin starts.\n\n - `.internal.cases`\n -
`.internal.cases-comments`\n - `.internal.cases-attachments`\n -
`.internal.cases-activity`\n\nAfter the indexes are created, a backfill
task for each of them is\nscheduled to run 1 minute after creation. This
task populates the\nindexes with relevant data from
`.kibana_alerting_cases`.\n\nA second type of task is registered, the
index synchronization task.\nFour of these tasks, one for each index,
are scheduled to run every 5\nminutes. The synchronization tasks
populated the indexes with data from\n`.kibana_alerting_cases` that was
created or updated in the last five\nminutes.\n\n## How to test\n\nYou
might want to start Kibana with `--verbose` to see relevant
index\nmessages in the console.\n\nAlternatively(what I normally do), is
go to `analytics_index.ts`,\n`backfill_task_runner.ts`, and
`synchronization_task_runner.ts`, and\nchange the `logDebug` function to
call `this.logger.info` instead. This\nway, you will have less spam in
the console.\n\nEvery log message starts with the index name between
square brackets, so\nyou can look for `[.internal.cases-` and follow
what is happening.\n\n1. You should have some existing case data, so
before anything else,\nplease create some activity, attachments,
etc.\n2. Add `xpack.cases.analytics.index.enabled: true` to
`kibana.dev.yml`\nand restart Kibana.\n3. Check out
[this\nbranch](elastic/elasticsearch#129414)
from the\nES project.\n4. Start Elastic Search with `yarn es source`.
This will use the above\nversion of Elasticsearch.\n5. Wait a bit for
the indexes to be created and populated(backfilled).\n6. Using the dev
tools:\n - Confirm the indexes exist.\n- Check the index mapping. Does
it match the one in the code? Is the\n`_meta` field
correct?\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/mappings.ts`\n
- Check that the painless scripts match the
code.\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/painless_scripts.ts`\n-
Confirm your existing case data is in the indexes. (See
**Queries**\nsection below.)\n7. Play around with cases. Some
examples:\n - Create a case\n - Change status/severity\n - Attach
alerts\n - Add files\n - Change category/tags\n - Add comments\n -
etc\n8. Go to the dev tools again and confirm all this shows up in
the\nrelevant indexes. (See **Queries** section below.)\n\n##
Queries\n\nIn addition to the ones, below I have a few more. Things like
reindexing\nwith specific scripts or fetching relevant data
from\n`.kibana_alerting_cases`. Ping me if you want those
queries.\n\n### Checking index content\n```\nGET
/.internal.cases/_search\nGET /.internal.cases-comments/_search\nGET
/.internal.cases-attachments/_search\nGET
/.internal.cases-activity/_search\n```\n\n### Checking index
mappings\n```\nGET /.internal.cases\nGET /.internal.cases-comments\nGET
/.internal.cases-attachments\nGET /.internal.cases-activity\n```\n\n###
Fetching the painless scripts\n```\nGET
/_scripts/cai_cases_script_1\nGET
/_scripts/cai_attachments_script_1\nGET
/_scripts/cai_comments_script_1\nGET
/_scripts/cai_activity_script_1\n```\n\n### Emptying the indexes\n\nIt
is sometimes useful for testing.\n```\nPOST
/.internal.cases/_delete_by_query\nPOST
/.internal.cases-comments/_delete_by_query\nPOST
/.internal.cases-attachments/_delete_by_query\nPOST
/.internal.cases-activity/_delete_by_query\n```\n\n### Deleting the
indexes\n\nIt is sometimes useful for testing.\n```\nDELETE
/.internal.cases\nDELETE /.internal.cases-comments\nDELETE
/.internal.cases-attachments\nDELETE
/.internal.cases-activity\n```\n\n## Release notes\n\nFour dedicated
case analytics indexes were created, allowing users to\nbuild dashboards
and metrics over case data. These indexes are created\non Kibana startup
and updated periodically with cases, comments,\nattachments, and
activity data.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>\nCo-authored-by: Christos
Nasikas
<[email protected]>","sha":"e566fec14b824f2e3c28a16dbfbcfa622b721b4a"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/223405","number":223405,"mergeCommit":{"message":"[ResponseOps]
Cases analytics index (#223405)\n\nThis PR is for a feature branch that
is being merged into main.\n\nThe relevant PRs are:\n-
https://github.com/elastic/kibana/pull/219211\n-
https://github.com/elastic/kibana/pull/222820\n-
https://github.com/elastic/kibana/pull/223241\n-
https://github.com/elastic/kibana/pull/224388\n-
https://github.com/elastic/kibana/pull/224682\n\n## Summary\n\nThis PR
adds 4 new indexes with case analytics data, which are created\nwhen the
cases plugin starts.\n\n - `.internal.cases`\n -
`.internal.cases-comments`\n - `.internal.cases-attachments`\n -
`.internal.cases-activity`\n\nAfter the indexes are created, a backfill
task for each of them is\nscheduled to run 1 minute after creation. This
task populates the\nindexes with relevant data from
`.kibana_alerting_cases`.\n\nA second type of task is registered, the
index synchronization task.\nFour of these tasks, one for each index,
are scheduled to run every 5\nminutes. The synchronization tasks
populated the indexes with data from\n`.kibana_alerting_cases` that was
created or updated in the last five\nminutes.\n\n## How to test\n\nYou
might want to start Kibana with `--verbose` to see relevant
index\nmessages in the console.\n\nAlternatively(what I normally do), is
go to `analytics_index.ts`,\n`backfill_task_runner.ts`, and
`synchronization_task_runner.ts`, and\nchange the `logDebug` function to
call `this.logger.info` instead. This\nway, you will have less spam in
the console.\n\nEvery log message starts with the index name between
square brackets, so\nyou can look for `[.internal.cases-` and follow
what is happening.\n\n1. You should have some existing case data, so
before anything else,\nplease create some activity, attachments,
etc.\n2. Add `xpack.cases.analytics.index.enabled: true` to
`kibana.dev.yml`\nand restart Kibana.\n3. Check out
[this\nbranch](elastic/elasticsearch#129414)
from the\nES project.\n4. Start Elastic Search with `yarn es source`.
This will use the above\nversion of Elasticsearch.\n5. Wait a bit for
the indexes to be created and populated(backfilled).\n6. Using the dev
tools:\n - Confirm the indexes exist.\n- Check the index mapping. Does
it match the one in the code? Is the\n`_meta` field
correct?\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/mappings.ts`\n
- Check that the painless scripts match the
code.\n-\n`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/painless_scripts.ts`\n-
Confirm your existing case data is in the indexes. (See
**Queries**\nsection below.)\n7. Play around with cases. Some
examples:\n - Create a case\n - Change status/severity\n - Attach
alerts\n - Add files\n - Change category/tags\n - Add comments\n -
etc\n8. Go to the dev tools again and confirm all this shows up in
the\nrelevant indexes. (See **Queries** section below.)\n\n##
Queries\n\nIn addition to the ones, below I have a few more. Things like
reindexing\nwith specific scripts or fetching relevant data
from\n`.kibana_alerting_cases`. Ping me if you want those
queries.\n\n### Checking index content\n```\nGET
/.internal.cases/_search\nGET /.internal.cases-comments/_search\nGET
/.internal.cases-attachments/_search\nGET
/.internal.cases-activity/_search\n```\n\n### Checking index
mappings\n```\nGET /.internal.cases\nGET /.internal.cases-comments\nGET
/.internal.cases-attachments\nGET /.internal.cases-activity\n```\n\n###
Fetching the painless scripts\n```\nGET
/_scripts/cai_cases_script_1\nGET
/_scripts/cai_attachments_script_1\nGET
/_scripts/cai_comments_script_1\nGET
/_scripts/cai_activity_script_1\n```\n\n### Emptying the indexes\n\nIt
is sometimes useful for testing.\n```\nPOST
/.internal.cases/_delete_by_query\nPOST
/.internal.cases-comments/_delete_by_query\nPOST
/.internal.cases-attachments/_delete_by_query\nPOST
/.internal.cases-activity/_delete_by_query\n```\n\n### Deleting the
indexes\n\nIt is sometimes useful for testing.\n```\nDELETE
/.internal.cases\nDELETE /.internal.cases-comments\nDELETE
/.internal.cases-attachments\nDELETE
/.internal.cases-activity\n```\n\n## Release notes\n\nFour dedicated
case analytics indexes were created, allowing users to\nbuild dashboards
and metrics over case data. These indexes are created\non Kibana startup
and updated periodically with cases, comments,\nattachments, and
activity data.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>\nCo-authored-by: Christos
Nasikas
<[email protected]>","sha":"e566fec14b824f2e3c28a16dbfbcfa622b721b4a"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Author: adcoelho

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/constants.ts

@@ -0,0 +1,119 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
+
+import { ALERTING_CASES_SAVED_OBJECT_INDEX } from '@kbn/core-saved-objects-server';
+
+export const CAI_ACTIVITY_INDEX_NAME = '.internal.cases-activity';
+
+export const CAI_ACTIVITY_INDEX_ALIAS = '.cases-activity';
+
+export const CAI_ACTIVITY_INDEX_VERSION = 1;
+
+export const CAI_ACTIVITY_SOURCE_QUERY: QueryDslQueryContainer = {
+  bool: {
+    must: [
+      {
+        term: {
+          type: 'cases-user-actions',
+        },
+      },
+      {
+        bool: {
+          should: [
+            {
+              term: {
+                'cases-user-actions.type': 'severity',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'delete_case',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'category',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'status',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'tags',
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+    ],
+  },
+};
+
+export const CAI_ACTIVITY_SOURCE_INDEX = ALERTING_CASES_SAVED_OBJECT_INDEX;
+
+export const CAI_ACTIVITY_BACKFILL_TASK_ID = 'cai_activity_backfill_task';
+
+export const CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID = 'cai_cases_activity_synchronization_task';
+
+export const getActivitySynchronizationSourceQuery = (
+  lastSyncAt: Date
+): QueryDslQueryContainer => ({
+  bool: {
+    must: [
+      {
+        term: {
+          type: 'cases-user-actions',
+        },
+      },
+      {
+        range: {
+          'cases-user-actions.created_at': {
+            gte: lastSyncAt.toISOString(),
+          },
+        },
+      },
+      {
+        bool: {
+          should: [
+            {
+              term: {
+                'cases-user-actions.type': 'severity',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'delete_case',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'category',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'status',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'tags',
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+    ],
+  },
+});

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/index.ts

@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ElasticsearchClient, Logger } from '@kbn/core/server';
+import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server';
+import { AnalyticsIndex } from '../analytics_index';
+import {
+  CAI_ACTIVITY_INDEX_NAME,
+  CAI_ACTIVITY_INDEX_ALIAS,
+  CAI_ACTIVITY_INDEX_VERSION,
+  CAI_ACTIVITY_SOURCE_INDEX,
+  CAI_ACTIVITY_SOURCE_QUERY,
+  CAI_ACTIVITY_BACKFILL_TASK_ID,
+  CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID,
+} from './constants';
+import { CAI_ACTIVITY_INDEX_MAPPINGS } from './mappings';
+import { CAI_ACTIVITY_INDEX_SCRIPT, CAI_ACTIVITY_INDEX_SCRIPT_ID } from './painless_scripts';
+import { scheduleCAISynchronizationTask } from '../tasks/synchronization_task';
+
+export const createActivityAnalyticsIndex = ({
+  esClient,
+  logger,
+  isServerless,
+  taskManager,
+}: {
+  esClient: ElasticsearchClient;
+  logger: Logger;
+  isServerless: boolean;
+  taskManager: TaskManagerStartContract;
+}): AnalyticsIndex =>
+  new AnalyticsIndex({
+    logger,
+    esClient,
+    isServerless,
+    taskManager,
+    indexName: CAI_ACTIVITY_INDEX_NAME,
+    indexAlias: CAI_ACTIVITY_INDEX_ALIAS,
+    indexVersion: CAI_ACTIVITY_INDEX_VERSION,
+    mappings: CAI_ACTIVITY_INDEX_MAPPINGS,
+    painlessScriptId: CAI_ACTIVITY_INDEX_SCRIPT_ID,
+    painlessScript: CAI_ACTIVITY_INDEX_SCRIPT,
+    taskId: CAI_ACTIVITY_BACKFILL_TASK_ID,
+    sourceIndex: CAI_ACTIVITY_SOURCE_INDEX,
+    sourceQuery: CAI_ACTIVITY_SOURCE_QUERY,
+  });
+
+export const scheduleActivityAnalyticsSyncTask = ({
+  taskManager,
+  logger,
+}: {
+  taskManager: TaskManagerStartContract;
+  logger: Logger;
+}) => {
+  scheduleCAISynchronizationTask({
+    taskId: CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID,
+    sourceIndex: CAI_ACTIVITY_SOURCE_INDEX,
+    destIndex: CAI_ACTIVITY_INDEX_NAME,
+    taskManager,
+    logger,
+  }).catch((e) => {
+    logger.error(
+      `Error scheduling ${CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID} task, received ${e.message}`
+    );
+  });
+};

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/mappings.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/types';
+
+export const CAI_ACTIVITY_INDEX_MAPPINGS: MappingTypeMapping = {
+  dynamic: false,
+  properties: {
+    '@timestamp': {
+      type: 'date',
+    },
+    case_id: {
+      type: 'keyword',
+    },
+    action: {
+      type: 'keyword',
+    },
+    type: {
+      type: 'keyword',
+    },
+    payload: {
+      properties: {
+        status: {
+          type: 'keyword',
+        },
+        tags: {
+          type: 'keyword',
+        },
+        category: {
+          type: 'keyword',
+        },
+        severity: {
+          type: 'keyword',
+        },
+      },
+    },
+    created_at: {
+      type: 'date',
+    },
+    created_at_ms: {
+      type: 'long',
+    },
+    created_by: {
+      properties: {
+        username: {
+          type: 'keyword',
+        },
+        profile_uid: {
+          type: 'keyword',
+        },
+        full_name: {
+          type: 'keyword',
+        },
+        email: {
+          type: 'keyword',
+        },
+      },
+    },
+    owner: {
+      type: 'keyword',
+    },
+    space_ids: {
+      type: 'keyword',
+    },
+  },
+};

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/painless_scripts.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { StoredScript } from '@elastic/elasticsearch/lib/api/types';
+import { CAI_ACTIVITY_INDEX_VERSION } from './constants';
+
+export const CAI_ACTIVITY_INDEX_SCRIPT_ID = `cai_activity_script_${CAI_ACTIVITY_INDEX_VERSION}`;
+export const CAI_ACTIVITY_INDEX_SCRIPT: StoredScript = {
+  lang: 'painless',
+  source: `
+    def source = [:];
+    source.putAll(ctx._source);
+    ctx._source.clear();
+
+    ctx._source.action = source["cases-user-actions"].action;
+    ctx._source.type = source["cases-user-actions"].type;
+
+    long milliSinceEpoch = new Date().getTime();
+    Instant instant = Instant.ofEpochMilli(milliSinceEpoch);
+    ctx._source['@timestamp'] = ZonedDateTime.ofInstant(instant, ZoneId.of('Z'));
+
+    ZonedDateTime zdt_created =
+      ZonedDateTime.parse(source["cases-user-actions"].created_at);
+    ctx._source.created_at_ms = zdt_created.toInstant().toEpochMilli();
+    ctx._source.created_at = source["cases-user-actions"].created_at;
+
+    if (source["cases-user-actions"].created_by != null) {
+        ctx._source.created_by = new HashMap();
+        ctx._source.created_by.full_name = source["cases-user-actions"].created_by.full_name;
+        ctx._source.created_by.username = source["cases-user-actions"].created_by.username;
+        ctx._source.created_by.profile_uid = source["cases-user-actions"].created_by.profile_uid;
+        ctx._source.created_by.email = source["cases-user-actions"].created_by.email;
+    }
+
+    if (source["cases-user-actions"].payload != null) {
+      ctx._source.payload = new HashMap();
+
+      if (source["cases-user-actions"].type == "severity" && source["cases-user-actions"].payload.severity != null) {
+        ctx._source.payload.severity = source["cases-user-actions"].payload.severity;
+      }
+
+      if (source["cases-user-actions"].type == "category" && source["cases-user-actions"].payload.category != null) {
+        ctx._source.payload.category = source["cases-user-actions"].payload.category;
+      }
+
+      if (source["cases-user-actions"].type == "status" && source["cases-user-actions"].payload.status != null) {
+        ctx._source.payload.status = source["cases-user-actions"].payload.status;
+      }
+
+      if (source["cases-user-actions"].type == "tags" && source["cases-user-actions"].payload.tags != null) {
+        ctx._source.payload.tags = source["cases-user-actions"].payload.tags;
+      }
+    }
+
+    if (source.references != null) {
+      for (item in source.references) {
+        if (item.type == "cases") {
+          ctx._source.case_id = item.id;
+        }
+      }
+    }
+
+    ctx._source.owner = source["cases-user-actions"].owner;
+    ctx._source.space_ids = source.namespaces;
+  `,
+};