To demonstrate the issue more clearly, here is some example data. Keep in mind that this is simplified – the real data contains many different fields that I may wish to query against, hence the above statements about unwind not being a satisfactory solution:
// Objects
{ "_id" : ObjectId("5cfc73657e2438b115888d1b"), "ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-09T02:45:45Z"), "vulns" : [ "cve-2019-19781" ] },
{ "_id" : ObjectId("5d04c5497e2438b115b06659"), "ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-15T10:13:33Z"), "vulns" : [ "" ] },
{ "_id" : ObjectId("5d108c52211d917c6ff48bfd"), "ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-24T08:37:31Z"), "vulns" : [ "cve-2019-19781", "other-vuln" ] },
// Desired output from aggregate
{"ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-09T02:45:45Z"), "condition": 1 },
{"ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-15T10:13:33Z"), "condition": 0 },
{"ip" : NumberLong("12345"), "timestamp" : ISODate("2019-06-24T08:37:31Z"), "condition": 1 },