Upgrading to Elasticsearch 5.6.x

Cloudera Cybersecurity Platform (CCP) has deprecated support for Elasticsearch 2.x. You must upgrade to Elasticsearch 5.x to CCP queries in the current release. In addition to upgrading to Elasticsearch 5.x, you must also update Elasticsearch type mappings, templates, and existing sensors.

Elasticsearch 5.x requires that all sensor templates include a nested alert field definition. Without this field, an error is thrown during all searches resulting in no alerts being found. This error is found in the REST service's logs:
QueryParsingException[[nested] failed to find nested object under path [alert]];